Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0812
Vulnerability from certfr_avis - Published: 2026-06-29 - Updated: 2026-06-29
De multiples vulnérabilités ont été découvertes dans Microsoft Azure Linux. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 libssh2 1.11.1-2 versions antérieures à 1.11.1-3 | ||
| Microsoft | Azure Linux | azl3 libssh2 1.11.1-3 versions antérieures à 1.11.1-3 | ||
| Microsoft | Azure Linux | azl3 nodejs 24.14.1-3 versions antérieures à 24.17.0-1 | ||
| Microsoft | Azure Linux | azl3 kernel 6.6.141.1-1 versions antérieures à 6.6.143.1-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 libssh2 1.11.1-2 versions ant\u00e9rieures \u00e0 1.11.1-3",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libssh2 1.11.1-3 versions ant\u00e9rieures \u00e0 1.11.1-3",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nodejs 24.14.1-3 versions ant\u00e9rieures \u00e0 24.17.0-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.141.1-1 versions ant\u00e9rieures \u00e0 6.6.143.1-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-9697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9697"
},
{
"name": "CVE-2026-53230",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53230"
},
{
"name": "CVE-2026-52934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52934"
},
{
"name": "CVE-2026-53214",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53214"
},
{
"name": "CVE-2026-53274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53274"
},
{
"name": "CVE-2026-52947",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52947"
},
{
"name": "CVE-2026-53218",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53218"
},
{
"name": "CVE-2026-53143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53143"
},
{
"name": "CVE-2026-53161",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53161"
},
{
"name": "CVE-2026-52924",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52924"
},
{
"name": "CVE-2026-53227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53227"
},
{
"name": "CVE-2026-53239",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53239"
},
{
"name": "CVE-2026-53181",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53181"
},
{
"name": "CVE-2026-52943",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52943"
},
{
"name": "CVE-2026-52915",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52915"
},
{
"name": "CVE-2026-53146",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53146"
},
{
"name": "CVE-2026-52913",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52913"
},
{
"name": "CVE-2026-52941",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52941"
},
{
"name": "CVE-2026-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53150"
},
{
"name": "CVE-2026-53147",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53147"
},
{
"name": "CVE-2026-52942",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52942"
},
{
"name": "CVE-2026-53183",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53183"
},
{
"name": "CVE-2026-52931",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52931"
},
{
"name": "CVE-2026-52919",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52919"
},
{
"name": "CVE-2026-53266",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53266"
},
{
"name": "CVE-2026-53149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53149"
},
{
"name": "CVE-2026-53176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53176"
},
{
"name": "CVE-2026-53158",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53158"
},
{
"name": "CVE-2026-53219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53219"
},
{
"name": "CVE-2026-53249",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53249"
},
{
"name": "CVE-2026-53217",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53217"
},
{
"name": "CVE-2026-52916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52916"
},
{
"name": "CVE-2026-53236",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53236"
},
{
"name": "CVE-2026-53225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53225"
},
{
"name": "CVE-2026-52922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52922"
},
{
"name": "CVE-2026-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53209"
},
{
"name": "CVE-2026-53135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53135"
},
{
"name": "CVE-2026-52927",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52927"
},
{
"name": "CVE-2026-53237",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53237"
},
{
"name": "CVE-2026-53186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53186"
},
{
"name": "CVE-2026-53182",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53182"
},
{
"name": "CVE-2026-53177",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53177"
},
{
"name": "CVE-2026-53255",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53255"
},
{
"name": "CVE-2026-53207",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53207"
},
{
"name": "CVE-2026-53160",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53160"
},
{
"name": "CVE-2026-53245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53245"
},
{
"name": "CVE-2026-53148",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53148"
},
{
"name": "CVE-2026-53133",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53133"
},
{
"name": "CVE-2026-53263",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53263"
},
{
"name": "CVE-2026-53228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53228"
},
{
"name": "CVE-2026-53194",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53194"
},
{
"name": "CVE-2026-53242",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53242"
},
{
"name": "CVE-2026-53199",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53199"
},
{
"name": "CVE-2026-53247",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53247"
},
{
"name": "CVE-2026-53268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53268"
},
{
"name": "CVE-2026-53159",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53159"
},
{
"name": "CVE-2026-9675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9675"
},
{
"name": "CVE-2026-53080",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53080"
},
{
"name": "CVE-2026-53267",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53267"
},
{
"name": "CVE-2026-52912",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52912"
},
{
"name": "CVE-2026-53221",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53221"
},
{
"name": "CVE-2026-53275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53275"
},
{
"name": "CVE-2026-55200",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55200"
},
{
"name": "CVE-2026-53215",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53215"
},
{
"name": "CVE-2026-53253",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53253"
},
{
"name": "CVE-2026-53252",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53252"
},
{
"name": "CVE-2026-53270",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53270"
},
{
"name": "CVE-2026-53264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53264"
},
{
"name": "CVE-2026-53184",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53184"
},
{
"name": "CVE-2026-53254",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53254"
},
{
"name": "CVE-2026-53238",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53238"
},
{
"name": "CVE-2026-52921",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52921"
},
{
"name": "CVE-2026-53213",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53213"
},
{
"name": "CVE-2026-52930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52930"
},
{
"name": "CVE-2026-53265",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53265"
},
{
"name": "CVE-2026-52923",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52923"
},
{
"name": "CVE-2026-53154",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53154"
},
{
"name": "CVE-2026-53196",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53196"
},
{
"name": "CVE-2026-52926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52926"
}
],
"initial_release_date": "2026-06-29T00:00:00",
"last_revision_date": "2026-06-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0812",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure Linux. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Linux",
"vendor_advisories": [
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53215",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53215"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53209",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53209"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52912",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52912"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-9697",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9697"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53080",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53080"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53247",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53247"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53218",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53218"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53221",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53221"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53255",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53255"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52926",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52926"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52916",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52916"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52924",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52924"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53239",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53239"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53254",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53254"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-9675",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9675"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52930",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52930"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52941",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52941"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53236",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53236"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53176",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53176"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52942",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52942"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53268",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53268"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53266",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53266"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53160",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53160"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53148",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53148"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53270",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53270"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53217",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53217"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52934",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52934"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53253",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53253"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52943",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52943"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53227",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53227"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53182",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53182"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53230",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53230"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53186",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53186"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53184",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53184"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53161",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53161"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52923",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52923"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53237",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53237"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53213",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53213"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52947",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52947"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53245",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53245"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52922",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52922"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53159",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53159"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53150",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53150"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53275",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53275"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53133",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53133"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53264",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53264"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53267",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53267"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53265",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53265"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53196",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53196"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53219",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53219"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53149",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53149"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53242",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53242"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53146",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53146"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53252",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53252"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53194",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53194"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52919",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52919"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52931",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52931"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52921",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52921"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53181",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53181"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53154",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53154"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52913",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52913"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53135",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53135"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53183",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53183"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53249",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53249"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53228",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53228"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53147",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53147"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53143",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53143"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53158",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53158"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52915",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52915"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53238",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53238"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53263",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53263"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53207",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53207"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53225",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53225"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53214",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53214"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-55200",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55200"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53177",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53177"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53199",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53199"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-52927",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-52927"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-53274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53274"
}
]
}
CVE-2026-53265 (GCVE-0-2026-53265)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
dm cache policy smq: check allocation under invalidate lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache policy smq: check allocation under invalidate lock
commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.
That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.
This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.
Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4991b5a08751e2e82488fb93ae08849b6aea10d9 , < c242c7af2aecf0b538b8623bdb86b8b441da38d9
(git)
Affected: 1b2bec4a7dcf5f00b7a1cbeeec8997841d783513 , < 13da856c86fb8c2ccab95034fd77da1bb2c2a17c (git) Affected: 9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e , < d886945fcb0f8c9dc6b39928d7a96c95c587346c (git) Affected: ac5ee99443891bdb161f5539606a66a1b5e72542 , < b4892561552d671bd8c4da5ebb70e9fbb1ec446e (git) Affected: 93627a29d4b66d4a2def938dfb8610cc80ae454b , < 03ffe1112ed88bb3a9bd0b971549bf4d64bfc59a (git) Affected: c348ae47d8e65f06429fa41adce9ad986b696766 , < 42ff6774ecd9d7f70d599cb71ff64373a1da4948 (git) Affected: 2b62d0611c9af14a16bddf22df2612b4f40eb5a1 , < c57570fba24016ec25ec046ab44db39143fb7a64 (git) Affected: 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45 , < d3f0a606b9f278ece8a0df626ded9c4044071235 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-policy-smq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c242c7af2aecf0b538b8623bdb86b8b441da38d9",
"status": "affected",
"version": "4991b5a08751e2e82488fb93ae08849b6aea10d9",
"versionType": "git"
},
{
"lessThan": "13da856c86fb8c2ccab95034fd77da1bb2c2a17c",
"status": "affected",
"version": "1b2bec4a7dcf5f00b7a1cbeeec8997841d783513",
"versionType": "git"
},
{
"lessThan": "d886945fcb0f8c9dc6b39928d7a96c95c587346c",
"status": "affected",
"version": "9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e",
"versionType": "git"
},
{
"lessThan": "b4892561552d671bd8c4da5ebb70e9fbb1ec446e",
"status": "affected",
"version": "ac5ee99443891bdb161f5539606a66a1b5e72542",
"versionType": "git"
},
{
"lessThan": "03ffe1112ed88bb3a9bd0b971549bf4d64bfc59a",
"status": "affected",
"version": "93627a29d4b66d4a2def938dfb8610cc80ae454b",
"versionType": "git"
},
{
"lessThan": "42ff6774ecd9d7f70d599cb71ff64373a1da4948",
"status": "affected",
"version": "c348ae47d8e65f06429fa41adce9ad986b696766",
"versionType": "git"
},
{
"lessThan": "c57570fba24016ec25ec046ab44db39143fb7a64",
"status": "affected",
"version": "2b62d0611c9af14a16bddf22df2612b4f40eb5a1",
"versionType": "git"
},
{
"lessThan": "d3f0a606b9f278ece8a0df626ded9c4044071235",
"status": "affected",
"version": "2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-policy-smq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.10.259",
"status": "affected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "7.0.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10.258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "7.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache policy smq: check allocation under invalidate lock\n\ncommit 2d1f7b65f5de (\"dm cache policy smq: fix missing locks in\ninvalidating cache blocks\") added mq-\u003elock around the destructive part of\nsmq_invalidate_mapping(), but left the e-\u003eallocated check outside the\ncritical section.\n\nThat leaves a check-then-act race. Two concurrent invalidators can both\nobserve e-\u003eallocated as true before either of them takes mq-\u003elock. The\nfirst invalidator that acquires the lock removes the entry from the\nqueues and hash table and then calls free_entry(), which clears\ne-\u003eallocated and puts the entry back on the free list. The second\ninvalidator can then acquire mq-\u003elock and continue with the stale result\nof the unlocked check.\n\nThis can corrupt the SMQ queues or hash table by deleting an entry that\nis no longer on those structures. It can also hit the allocation check in\nfree_entry() when the same entry is freed again.\n\nMove the allocation check under mq-\u003elock so the predicate and the\ndestructive operations are serialized by the same lock."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:08.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c242c7af2aecf0b538b8623bdb86b8b441da38d9"
},
{
"url": "https://git.kernel.org/stable/c/13da856c86fb8c2ccab95034fd77da1bb2c2a17c"
},
{
"url": "https://git.kernel.org/stable/c/d886945fcb0f8c9dc6b39928d7a96c95c587346c"
},
{
"url": "https://git.kernel.org/stable/c/b4892561552d671bd8c4da5ebb70e9fbb1ec446e"
},
{
"url": "https://git.kernel.org/stable/c/03ffe1112ed88bb3a9bd0b971549bf4d64bfc59a"
},
{
"url": "https://git.kernel.org/stable/c/42ff6774ecd9d7f70d599cb71ff64373a1da4948"
},
{
"url": "https://git.kernel.org/stable/c/c57570fba24016ec25ec046ab44db39143fb7a64"
},
{
"url": "https://git.kernel.org/stable/c/d3f0a606b9f278ece8a0df626ded9c4044071235"
}
],
"title": "dm cache policy smq: check allocation under invalidate lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53265",
"datePublished": "2026-06-25T08:39:52.543Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:08.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53253 (GCVE-0-2026-53253)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
Bluetooth: bnep: reject short frames before parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bnep: reject short frames before parsing
A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the
packet type byte immediately and, for control packets, reads the control
opcode and setup UUID-size byte before proving that those bytes are
present. bnep_rx_control() also dereferences the control opcode without
rejecting an empty control payload.
Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL
return gates each dereference. Split the control handler so the frame
path can pass an opcode that has already been pulled, and keep the
byte-buffer wrapper for extension control payloads.
For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the
setup payload. struct bnep_setup_conn_req carries destination and source
service UUIDs after that byte, each uuid_size bytes, so the parser now
documents that tuple explicitly instead of leaving the pull length as an
opaque multiplication.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790
The buggy address belongs to the object at ffff88800c0f7908 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 1-byte
region [ffff88800c0f7908, ffff88800c0f7909)
Read of size 1
Call trace:
dump_stack_lvl+0xb3/0x140 (?:?)
print_address_description+0x57/0x3a0 (?:?)
bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)
print_report+0xb9/0x2b0 (?:?)
__virt_addr_valid+0x1ba/0x3a0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
kasan_addr_to_slab+0x21/0x60 (?:?)
kasan_report+0xe0/0x110 (?:?)
process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)
worker_thread+0x65c/0xe40 (?:?)
__kthread_parkme+0x184/0x230 (?:?)
kthread+0x35e/0x470 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
ret_from_fork+0x586/0x870 (?:?)
__switch_to+0x74f/0xdc0 (?:?)
ret_from_fork_asm+0x1a/0x30 (?:?)
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0ef2ea86c82b2615902d085cd5a586fe9f58994f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2b83afb19293e4de700edae306115f18966dc4f9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 691f14b6a48b637655755134f1e551c7c6fedc2e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d76dec1a37122bc16d83d059c08c0512ea8de909 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c893e17d2809ec9c4b3f1cdd5847cecbc27a311b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < be837cd09897e9e6e1958174501d467bdcbcc2bc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6770d3a8acdf9151769180cc3710346c4cfbe6f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/bnep/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ef2ea86c82b2615902d085cd5a586fe9f58994f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b83afb19293e4de700edae306115f18966dc4f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "691f14b6a48b637655755134f1e551c7c6fedc2e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d76dec1a37122bc16d83d059c08c0512ea8de909",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c893e17d2809ec9c4b3f1cdd5847cecbc27a311b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be837cd09897e9e6e1958174501d467bdcbcc2bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6770d3a8acdf9151769180cc3710346c4cfbe6f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/bnep/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bnep: reject short frames before parsing\n\nA BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the\npacket type byte immediately and, for control packets, reads the control\nopcode and setup UUID-size byte before proving that those bytes are\npresent. bnep_rx_control() also dereferences the control opcode without\nrejecting an empty control payload.\n\nUse skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL\nreturn gates each dereference. Split the control handler so the frame\npath can pass an opcode that has already been pulled, and keep the\nbyte-buffer wrapper for extension control payloads.\n\nFor BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the\nsetup payload. struct bnep_setup_conn_req carries destination and source\nservice UUIDs after that byte, each uuid_size bytes, so the parser now\ndocuments that tuple explicitly instead of leaving the pull length as an\nopaque multiplication.\n\nValidation reproduced this kernel report:\nKASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790\nThe buggy address belongs to the object at ffff88800c0f7908 which belongs\nto the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes to the right of allocated 1-byte\nregion [ffff88800c0f7908, ffff88800c0f7909)\nRead of size 1\nCall trace:\n dump_stack_lvl+0xb3/0x140 (?:?)\n print_address_description+0x57/0x3a0 (?:?)\n bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)\n print_report+0xb9/0x2b0 (?:?)\n __virt_addr_valid+0x1ba/0x3a0 (?:?)\n srso_alias_return_thunk+0x5/0xfbef5 (?:?)\n kasan_addr_to_slab+0x21/0x60 (?:?)\n kasan_report+0xe0/0x110 (?:?)\n process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)\n worker_thread+0x65c/0xe40 (?:?)\n __kthread_parkme+0x184/0x230 (?:?)\n kthread+0x35e/0x470 (?:?)\n _raw_spin_unlock_irq+0x28/0x50 (?:?)\n ret_from_fork+0x586/0x870 (?:?)\n __switch_to+0x74f/0xdc0 (?:?)\n ret_from_fork_asm+0x1a/0x30 (?:?)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:57.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ef2ea86c82b2615902d085cd5a586fe9f58994f"
},
{
"url": "https://git.kernel.org/stable/c/2b83afb19293e4de700edae306115f18966dc4f9"
},
{
"url": "https://git.kernel.org/stable/c/691f14b6a48b637655755134f1e551c7c6fedc2e"
},
{
"url": "https://git.kernel.org/stable/c/d76dec1a37122bc16d83d059c08c0512ea8de909"
},
{
"url": "https://git.kernel.org/stable/c/c893e17d2809ec9c4b3f1cdd5847cecbc27a311b"
},
{
"url": "https://git.kernel.org/stable/c/be837cd09897e9e6e1958174501d467bdcbcc2bc"
},
{
"url": "https://git.kernel.org/stable/c/6770d3a8acdf9151769180cc3710346c4cfbe6f0"
}
],
"title": "Bluetooth: bnep: reject short frames before parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53253",
"datePublished": "2026-06-25T08:39:44.612Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-28T06:40:57.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52931 (GCVE-0-2026-52931)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
batman-adv: tp_meter: avoid use of uninit sender vars
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: tp_meter: avoid use of uninit sender vars
batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the
BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it
proceeds to read sender-only members that were never initialized, leading
to undefined behavior.
This can be triggered when a node that is currently acting as a receiver in
an ongoing tp_meter session receives a malicious ACK packet.
Guard against this by checking tp_vars->role immediately after the
lookup and bailing out if it is not BATADV_TP_SENDER, before any of
those members are accessed.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 0e388af04b3958b178a1b979527f93eb46ea1fee
(git)
Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 1a21c055f66e78973712a4a1be2a554f1ee2e4f4 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 9884c9c02d3c90e9215db3c5128f59045d20ae91 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 53f931e0146ae5bdab4cba302646827d06b3794b (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < ecdaa3e4d91040206afe21bc8a0d1198a0971ff3 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < dc2ae5fbd2dadc26735092f140b246841d969a11 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 85397e48afe6be83ffca5ad3f4792296bfc81d3d (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 6c65cf23d4c6170fcf5714c32aa64689718cb142 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tp_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e388af04b3958b178a1b979527f93eb46ea1fee",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "1a21c055f66e78973712a4a1be2a554f1ee2e4f4",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "9884c9c02d3c90e9215db3c5128f59045d20ae91",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "53f931e0146ae5bdab4cba302646827d06b3794b",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "ecdaa3e4d91040206afe21bc8a0d1198a0971ff3",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "dc2ae5fbd2dadc26735092f140b246841d969a11",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "85397e48afe6be83ffca5ad3f4792296bfc81d3d",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "6c65cf23d4c6170fcf5714c32aa64689718cb142",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tp_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tp_meter: avoid use of uninit sender vars\n\nbatadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the\nBATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it\nproceeds to read sender-only members that were never initialized, leading\nto undefined behavior.\n\nThis can be triggered when a node that is currently acting as a receiver in\nan ongoing tp_meter session receives a malicious ACK packet.\n\nGuard against this by checking tp_vars-\u003erole immediately after the\nlookup and bailing out if it is not BATADV_TP_SENDER, before any of\nthose members are accessed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:51.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e388af04b3958b178a1b979527f93eb46ea1fee"
},
{
"url": "https://git.kernel.org/stable/c/1a21c055f66e78973712a4a1be2a554f1ee2e4f4"
},
{
"url": "https://git.kernel.org/stable/c/9884c9c02d3c90e9215db3c5128f59045d20ae91"
},
{
"url": "https://git.kernel.org/stable/c/53f931e0146ae5bdab4cba302646827d06b3794b"
},
{
"url": "https://git.kernel.org/stable/c/ecdaa3e4d91040206afe21bc8a0d1198a0971ff3"
},
{
"url": "https://git.kernel.org/stable/c/dc2ae5fbd2dadc26735092f140b246841d969a11"
},
{
"url": "https://git.kernel.org/stable/c/85397e48afe6be83ffca5ad3f4792296bfc81d3d"
},
{
"url": "https://git.kernel.org/stable/c/6c65cf23d4c6170fcf5714c32aa64689718cb142"
}
],
"title": "batman-adv: tp_meter: avoid use of uninit sender vars",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52931",
"datePublished": "2026-06-24T07:14:23.349Z",
"dateReserved": "2026-06-09T07:44:35.369Z",
"dateUpdated": "2026-06-28T06:36:51.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52943 (GCVE-0-2026-52943)
Vulnerability from cvelistv5 – Published: 2026-06-24 09:00 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.
KASAN reports use-after-free on a freed ubuf_info_msgzc:
BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220
Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180
Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0
Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530
The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.
The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().
Severity ?
7.8 (High)
CWE
- CWE-911 - Improper Update of Reference Count
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 8dbed691e43a50903658130bde0fcb5abc425b37
(git)
Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 9b40bdc2a3298225dffab8158208a0d8c6300578 (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < fd470f0a97b8e9a125f520265d2f3b088ffb5b8a (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < ceafb893b12f23331dcc5ff9587e643c3a40ee9f (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 2e0e74c59b2761a414d9f48d7bee1e45220b2427 (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 96a4713ae041cc85e712bac682cd2e644004d6c6 (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 474d6c771d798bca84f0a140b611e36743511e18 (git) Affected: 6fa01ccd883021105e9f8af7d04b9f156fa3494a , < 98d0912e9f841e5529a5b89a972805f34cb1c69d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel. The `pskb_carve_inside_header()` and `pskb_carve_inside_nonlinear()` helper functions, which handle network packet buffers, do not correctly account for zero-copy references. This oversight can lead to a use-after-free vulnerability, where memory is prematurely released while still in use. A local unprivileged user can exploit this flaw to achieve full root privilege escalation on the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-911",
"description": "Improper Update of Reference Count",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:45.796Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-52943"
},
{
"name": "RHBZ#2492137",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492137"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52943.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dbed691e43a50903658130bde0fcb5abc425b37",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "9b40bdc2a3298225dffab8158208a0d8c6300578",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "fd470f0a97b8e9a125f520265d2f3b088ffb5b8a",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "ceafb893b12f23331dcc5ff9587e643c3a40ee9f",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "2e0e74c59b2761a414d9f48d7bee1e45220b2427",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "96a4713ae041cc85e712bac682cd2e644004d6c6",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "474d6c771d798bca84f0a140b611e36743511e18",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
},
{
"lessThan": "98d0912e9f841e5529a5b89a972805f34cb1c69d",
"status": "affected",
"version": "6fa01ccd883021105e9f8af7d04b9f156fa3494a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg-\u003erefcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n Call Trace:\n skb_release_data+0x77b/0x810\n kfree_skb_list_reason+0x13e/0x610\n skb_release_data+0x4cd/0x810\n sk_skb_reason_drop+0xf3/0x340\n skb_queue_purge_reason+0x282/0x440\n rds_tcp_inc_free+0x1e/0x30\n rds_recvmsg+0x354/0x1780\n __sys_recvmsg+0xdf/0x180\n\n Allocated by task 219:\n msg_zerocopy_realloc+0x157/0x7b0\n tcp_sendmsg_locked+0x2892/0x3ba0\n\n Freed by task 219:\n ip_recv_error+0x74a/0xb10\n tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo-\u003edestructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:37:01.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dbed691e43a50903658130bde0fcb5abc425b37"
},
{
"url": "https://git.kernel.org/stable/c/9b40bdc2a3298225dffab8158208a0d8c6300578"
},
{
"url": "https://git.kernel.org/stable/c/fd470f0a97b8e9a125f520265d2f3b088ffb5b8a"
},
{
"url": "https://git.kernel.org/stable/c/ceafb893b12f23331dcc5ff9587e643c3a40ee9f"
},
{
"url": "https://git.kernel.org/stable/c/2e0e74c59b2761a414d9f48d7bee1e45220b2427"
},
{
"url": "https://git.kernel.org/stable/c/96a4713ae041cc85e712bac682cd2e644004d6c6"
},
{
"url": "https://git.kernel.org/stable/c/474d6c771d798bca84f0a140b611e36743511e18"
},
{
"url": "https://git.kernel.org/stable/c/98d0912e9f841e5529a5b89a972805f34cb1c69d"
}
],
"title": "net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52943",
"datePublished": "2026-06-24T09:00:12.292Z",
"dateReserved": "2026-06-09T07:44:35.371Z",
"dateUpdated": "2026-06-30T12:09:45.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53252 (GCVE-0-2026-53252)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90dee0a0ff84fac8accd5be98412b3819f667149 , < 5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd
(git)
Affected: c56b177efce8b62798e4d96bdb9867106cb7c4a0 , < c016118b9e51eeaf5bc93850d4c455a3b583c0aa (git) Affected: bc0819a25e04cd68ef3568cfa51b63118fea39a7 , < 0622e527a31d4b44737fed5c1a2ac1fc2cfb5184 (git) Affected: ce23b73f0f27e2dbeb81734a79db710f05aa33c6 , < bc2efe73c194a74839d7cf57b63880d97e21d309 (git) Affected: 1d6123102e9fbedc8d25bf4731da6d513173e49e , < ce4b4cac3c5749b6aa75e62e2991ae2263f2f889 (git) Affected: 1d6123102e9fbedc8d25bf4731da6d513173e49e , < f82799407a50af7bcacacf09cc9b279af8fe9b81 (git) Affected: 1d6123102e9fbedc8d25bf4731da6d513173e49e , < 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f (git) Affected: dd4becd3fd4102696e1c15e6d260a1712a2d8685 (git) Affected: 0e5c144c557df910ab64d9c25d06399a9a735e65 (git) Affected: 5.15.209 , < 5.15.210 (semver) Affected: 6.1.167 , < 6.1.176 (semver) Affected: 6.6.97 , < 6.6.143 (semver) Affected: 6.12.36 , < 6.12.94 (semver) Affected: 5.10.259 , < 5.11 (semver) Affected: 6.15.5 , < 6.16 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd",
"status": "affected",
"version": "90dee0a0ff84fac8accd5be98412b3819f667149",
"versionType": "git"
},
{
"lessThan": "c016118b9e51eeaf5bc93850d4c455a3b583c0aa",
"status": "affected",
"version": "c56b177efce8b62798e4d96bdb9867106cb7c4a0",
"versionType": "git"
},
{
"lessThan": "0622e527a31d4b44737fed5c1a2ac1fc2cfb5184",
"status": "affected",
"version": "bc0819a25e04cd68ef3568cfa51b63118fea39a7",
"versionType": "git"
},
{
"lessThan": "bc2efe73c194a74839d7cf57b63880d97e21d309",
"status": "affected",
"version": "ce23b73f0f27e2dbeb81734a79db710f05aa33c6",
"versionType": "git"
},
{
"lessThan": "ce4b4cac3c5749b6aa75e62e2991ae2263f2f889",
"status": "affected",
"version": "1d6123102e9fbedc8d25bf4731da6d513173e49e",
"versionType": "git"
},
{
"lessThan": "f82799407a50af7bcacacf09cc9b279af8fe9b81",
"status": "affected",
"version": "1d6123102e9fbedc8d25bf4731da6d513173e49e",
"versionType": "git"
},
{
"lessThan": "37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f",
"status": "affected",
"version": "1d6123102e9fbedc8d25bf4731da6d513173e49e",
"versionType": "git"
},
{
"status": "affected",
"version": "dd4becd3fd4102696e1c15e6d260a1712a2d8685",
"versionType": "git"
},
{
"status": "affected",
"version": "0e5c144c557df910ab64d9c25d06399a9a735e65",
"versionType": "git"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.259",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix memory leak in error path of hci_alloc_dev()\n\nEarly failures in Bluetooth HCI UART configuration leak SRCU percpu\nmemory.\n\nWhen device initialization fails before hci_register_dev() completes,\nthe HCI_UNREGISTER flag is never set. As a result, when the device\nreference count reaches zero, bt_host_release() evaluates this flag as\nfalse and falls back to a direct kfree(hdev).\n\nBecause hci_release_dev() is bypassed, the SRCU struct initialized\nearly in hci_alloc_dev() is never cleaned up, resulting in a leak of\npercpu memory.\n\nFix the leak by explicitly calling cleanup_srcu_struct() in the\nfallback (unregistered) branch of bt_host_release() before freeing\nthe device."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:43.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd"
},
{
"url": "https://git.kernel.org/stable/c/c016118b9e51eeaf5bc93850d4c455a3b583c0aa"
},
{
"url": "https://git.kernel.org/stable/c/0622e527a31d4b44737fed5c1a2ac1fc2cfb5184"
},
{
"url": "https://git.kernel.org/stable/c/bc2efe73c194a74839d7cf57b63880d97e21d309"
},
{
"url": "https://git.kernel.org/stable/c/ce4b4cac3c5749b6aa75e62e2991ae2263f2f889"
},
{
"url": "https://git.kernel.org/stable/c/f82799407a50af7bcacacf09cc9b279af8fe9b81"
},
{
"url": "https://git.kernel.org/stable/c/37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f"
}
],
"title": "Bluetooth: fix memory leak in error path of hci_alloc_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53252",
"datePublished": "2026-06-25T08:39:43.951Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-25T08:39:43.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53150 (GCVE-0-2026-53150)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
thunderbolt: Reject zero-length property entries in validator
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Reject zero-length property entries in validator
tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to
the allocation.
Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 581c2053ab4dbe27e83c9e62deb4c73aa8dc0c3a
(git)
Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 35d6c9252a152e756768a26dbf216b9dd9dd8e92 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 99d9dbad1463afb510d42c9714f846361d1b726d (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 5f56bc6bddffe8710ba0ba8844023b5a44ca90e4 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < ca11e7da4fba4b394f69e16448f4463c44c84de6 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 2e0ddac549ebd713eb9f4a15b6496e3440a17d8b (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 3b6e68cb97f725385010264a873e14a3921b6b8a (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < cff8eb65d1eafe7793e54b4d0cf6bf831644630b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "581c2053ab4dbe27e83c9e62deb4c73aa8dc0c3a",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "35d6c9252a152e756768a26dbf216b9dd9dd8e92",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "99d9dbad1463afb510d42c9714f846361d1b726d",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "5f56bc6bddffe8710ba0ba8844023b5a44ca90e4",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "ca11e7da4fba4b394f69e16448f4463c44c84de6",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "2e0ddac549ebd713eb9f4a15b6496e3440a17d8b",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "3b6e68cb97f725385010264a873e14a3921b6b8a",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "cff8eb65d1eafe7793e54b4d0cf6bf831644630b",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Reject zero-length property entries in validator\n\ntb_property_entry_valid() accepts entries with length == 0 for\nDIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes\nvalidation but causes an underflow in the null-termination logic:\n\n property-\u003evalue.text[property-\u003elength * 4 - 1] = \u0027\\0\u0027;\n\nWhen property-\u003elength is 0 this writes to offset -1 relative to\nthe allocation.\n\nReject zero-length entries early in the validator since they have no\nvalid representation in the XDomain property protocol."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:35.531Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/581c2053ab4dbe27e83c9e62deb4c73aa8dc0c3a"
},
{
"url": "https://git.kernel.org/stable/c/35d6c9252a152e756768a26dbf216b9dd9dd8e92"
},
{
"url": "https://git.kernel.org/stable/c/99d9dbad1463afb510d42c9714f846361d1b726d"
},
{
"url": "https://git.kernel.org/stable/c/5f56bc6bddffe8710ba0ba8844023b5a44ca90e4"
},
{
"url": "https://git.kernel.org/stable/c/ca11e7da4fba4b394f69e16448f4463c44c84de6"
},
{
"url": "https://git.kernel.org/stable/c/2e0ddac549ebd713eb9f4a15b6496e3440a17d8b"
},
{
"url": "https://git.kernel.org/stable/c/3b6e68cb97f725385010264a873e14a3921b6b8a"
},
{
"url": "https://git.kernel.org/stable/c/cff8eb65d1eafe7793e54b4d0cf6bf831644630b"
}
],
"title": "thunderbolt: Reject zero-length property entries in validator",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53150",
"datePublished": "2026-06-25T08:38:35.531Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-25T08:38:35.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53255 (GCVE-0-2026-53255)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
Bluetooth: MGMT: validate advertising TLV before type checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate advertising TLV before type checks
tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 13ad995071a06570668dd8daab3616c247c72080
(git)
Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 06fcbd79c3c360a50f9be9d370769bbd738d0976 (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < f7093ac233c1e7f51d125534f46067772a113175 (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 74c08e4db35a476c3462aeb65846f955be732626 (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 18fea1cb0c2599752e908c8217490f73ddd33e00 (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 1a3c8ffbb469859b076445af44bdfa6a711d483e (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < 2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57 (git) Affected: 2bb36870e8cb29949ef9acec37129cd8e70f1857 , < de23fb62259aa01d294f77238ae3b835eb674413 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ad995071a06570668dd8daab3616c247c72080",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "06fcbd79c3c360a50f9be9d370769bbd738d0976",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "f7093ac233c1e7f51d125534f46067772a113175",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "74c08e4db35a476c3462aeb65846f955be732626",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "18fea1cb0c2599752e908c8217490f73ddd33e00",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "1a3c8ffbb469859b076445af44bdfa6a711d483e",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
},
{
"lessThan": "de23fb62259aa01d294f77238ae3b835eb674413",
"status": "affected",
"version": "2bb36870e8cb29949ef9acec37129cd8e70f1857",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate advertising TLV before type checks\n\ntlv_data_is_valid() reads each advertising data field length from\ndata[i], then inspects data[i + 1] for managed EIR types before\nchecking that the current field still fits inside the supplied buffer.\n\nA malformed field whose length byte is the last byte of the buffer can\ntherefore make the parser read one byte past the advertising data.\n\nKASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING\nrequest reached that path:\n\n BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()\n Read of size 1\n Call trace:\n tlv_data_is_valid()\n add_advertising()\n hci_mgmt_cmd()\n hci_sock_sendmsg()\n\nMove the existing element-length check before any type-octet inspection\nso each non-empty element is proven to contain its type byte before the\nparser looks at data[i + 1]."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:45.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ad995071a06570668dd8daab3616c247c72080"
},
{
"url": "https://git.kernel.org/stable/c/06fcbd79c3c360a50f9be9d370769bbd738d0976"
},
{
"url": "https://git.kernel.org/stable/c/f7093ac233c1e7f51d125534f46067772a113175"
},
{
"url": "https://git.kernel.org/stable/c/74c08e4db35a476c3462aeb65846f955be732626"
},
{
"url": "https://git.kernel.org/stable/c/18fea1cb0c2599752e908c8217490f73ddd33e00"
},
{
"url": "https://git.kernel.org/stable/c/1a3c8ffbb469859b076445af44bdfa6a711d483e"
},
{
"url": "https://git.kernel.org/stable/c/2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57"
},
{
"url": "https://git.kernel.org/stable/c/de23fb62259aa01d294f77238ae3b835eb674413"
}
],
"title": "Bluetooth: MGMT: validate advertising TLV before type checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53255",
"datePublished": "2026-06-25T08:39:45.934Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-25T08:39:45.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52941 (GCVE-0-2026-52941)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and
smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk:
__string(name, smc->conn.lnk->ibname)
conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on
these paths already handles this (e.g. !conn->lnk in
SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first
sendmsg()/recvmsg() on an SMC-D socket crashes:
Oops: general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [...]
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)
smc_rx_recvmsg (net/smc/smc_rx.c:515)
smc_recvmsg (net/smc/af_smc.c:2859)
__sys_recvfrom (net/socket.c:2315)
__x64_sys_recvfrom (net/socket.c:2326)
do_syscall_64
The faulting address 0x3e0 is offsetof(struct smc_link, ibname),
confirming the NULL ->lnk deref. Enabling the tracepoint requires
root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has
no capability check, and SMC-D negotiation needs no admin step on
s390 or on x86 with the loopback ISM device loaded.
Log an empty device name for SMC-D instead of dereferencing NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < 68200112534bb2acd1d7117dc2d5c124868d866d
(git)
Affected: aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < 720c76b930c52cd58f50eb6b10569d03dccc7959 (git) Affected: aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef (git) Affected: aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < d2ea0b8aef8746e147602eac87ca8538f4bc7e66 (git) Affected: aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < 561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f (git) Affected: aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 , < 7bf563badd37cb796df5477d2b78bb64148a1268 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_tracepoint.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68200112534bb2acd1d7117dc2d5c124868d866d",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
},
{
"lessThan": "720c76b930c52cd58f50eb6b10569d03dccc7959",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
},
{
"lessThan": "b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
},
{
"lessThan": "d2ea0b8aef8746e147602eac87ca8538f4bc7e66",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
},
{
"lessThan": "561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
},
{
"lessThan": "7bf563badd37cb796df5477d2b78bb64148a1268",
"status": "affected",
"version": "aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_tracepoint.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid NULL deref of conn-\u003elnk in smc_msg_event tracepoint\n\nThe smc_msg_event tracepoint class, shared by smc_tx_sendmsg and\nsmc_rx_recvmsg, unconditionally dereferences smc-\u003econn.lnk:\n\n\t__string(name, smc-\u003econn.lnk-\u003eibname)\n\nconn-\u003elnk is only set for SMC-R; for SMC-D it is NULL. Other code on\nthese paths already handles this (e.g. !conn-\u003elnk in\nSMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first\nsendmsg()/recvmsg() on an SMC-D socket crashes:\n\n Oops: general protection fault, probably for non-canonical address\n KASAN: null-ptr-deref in range [...]\n RIP: 0010:strlen+0x1e/0xa0\n Call Trace:\n trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)\n smc_rx_recvmsg (net/smc/smc_rx.c:515)\n smc_recvmsg (net/smc/af_smc.c:2859)\n __sys_recvfrom (net/socket.c:2315)\n __x64_sys_recvfrom (net/socket.c:2326)\n do_syscall_64\n\nThe faulting address 0x3e0 is offsetof(struct smc_link, ibname),\nconfirming the NULL -\u003elnk deref. Enabling the tracepoint requires\nroot, but the trigger itself is unprivileged: socket(AF_SMC, ...) has\nno capability check, and SMC-D negotiation needs no admin step on\ns390 or on x86 with the loopback ISM device loaded.\n\nLog an empty device name for SMC-D instead of dereferencing NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:29.943Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68200112534bb2acd1d7117dc2d5c124868d866d"
},
{
"url": "https://git.kernel.org/stable/c/720c76b930c52cd58f50eb6b10569d03dccc7959"
},
{
"url": "https://git.kernel.org/stable/c/b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef"
},
{
"url": "https://git.kernel.org/stable/c/d2ea0b8aef8746e147602eac87ca8538f4bc7e66"
},
{
"url": "https://git.kernel.org/stable/c/561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f"
},
{
"url": "https://git.kernel.org/stable/c/7bf563badd37cb796df5477d2b78bb64148a1268"
}
],
"title": "net/smc: avoid NULL deref of conn-\u003elnk in smc_msg_event tracepoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52941",
"datePublished": "2026-06-24T07:14:29.943Z",
"dateReserved": "2026-06-09T07:44:35.370Z",
"dateUpdated": "2026-06-24T07:14:29.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53196 (GCVE-0-2026-53196)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
USB: serial: io_ti: fix heap overflow in get_manuf_info()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_ti: fix heap overflow in get_manuf_info()
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
[ johan: amend commit message; also check for short descriptors ]
Severity ?
6.8 (Medium)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e168db91442b94e64fa82a7dd297983d48ea5cc0
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 561edb021486e6723d841926aa4b48097da06190 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cfd634f6dfd40c49a84f9bddc2867a80e2e2623a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d92f17af7097d10bdeddf26f66f34b354104b277 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b849f30d1a9e66aae6b715aaef66e427390cb081 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d214d2341d4f9f447e36a7d012cdf6a6631a55f1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 183c1076eca43bbb3e7bdf597456f91d81c73e74 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s `io_ti` USB serial driver. A malicious USB device, when plugged into a host running this driver, can exploit a heap overflow vulnerability in the `get_manuf_info()` function. This occurs because the driver does not properly validate the size of data read from the device\u0027s I2C EEPROM against the allocated memory buffer. This improper validation can lead to out-of-bounds memory writes, potentially allowing an attacker to execute arbitrary code or cause a system crash (Denial of Service)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:23.189Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53196"
},
{
"name": "RHBZ#2492750",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492750"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53196.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: USB: serial: io_ti: fix heap overflow in get_manuf_info()",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, prevent module io_ti from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/io_ti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e168db91442b94e64fa82a7dd297983d48ea5cc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "561edb021486e6723d841926aa4b48097da06190",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfd634f6dfd40c49a84f9bddc2867a80e2e2623a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d92f17af7097d10bdeddf26f66f34b354104b277",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b849f30d1a9e66aae6b715aaef66e427390cb081",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d214d2341d4f9f447e36a7d012cdf6a6631a55f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "183c1076eca43bbb3e7bdf597456f91d81c73e74",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/io_ti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: io_ti: fix heap overflow in get_manuf_info()\n\nget_manuf_info() reads le16_to_cpu(rom_desc-\u003eSize) bytes from the\ndevice I2C EEPROM into a buffer allocated with kmalloc_obj(), which\nis sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.\n\nThe Size field comes from the device and is only validated (in\ncheck_i2c_image()) to make sure the descriptor fits within\nTI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.\nA malicious USB device can therefore set Size to any value up to 16377,\ncausing a heap overflow of up to 16367 bytes when plugged into a host\nrunning this driver.\n\nvalid_csum() is called after read_rom() and also iterates\nbuffer[0..Size-1], compounding the out-of-bounds access.\n\nFix by rejecting descriptors with unexpected length before calling\nread_rom().\n\n[ johan: amend commit message; also check for short descriptors ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:06.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0"
},
{
"url": "https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190"
},
{
"url": "https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a"
},
{
"url": "https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277"
},
{
"url": "https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081"
},
{
"url": "https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea"
},
{
"url": "https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1"
},
{
"url": "https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74"
}
],
"title": "USB: serial: io_ti: fix heap overflow in get_manuf_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53196",
"datePublished": "2026-06-25T08:39:06.330Z",
"dateReserved": "2026-06-09T07:44:35.391Z",
"dateUpdated": "2026-07-02T12:05:23.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53184 (GCVE-0-2026-53184)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
udp: clear skb->dev before running a sockmap verdict
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: clear skb->dev before running a sockmap verdict
On the UDP receive path skb->dev is repurposed as dev_scratch (the
truesize/state cache set by udp_set_dev_scratch()), through the
union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
When a UDP socket is in a sockmap, sk_data_ready is
sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()
(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.
If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,
bpf_skc_lookup_tcp), bpf_skc_lookup() does:
if (skb->dev)
caller_net = dev_net(skb->dev);
skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()
dereferences it as a struct net_device * and the kernel takes a general
protection fault on a non-canonical address in softirq:
Oops: general protection fault, probably for non-canonical address 0x1010000800004a0
CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)
RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]
RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047
Call Trace:
<IRQ>
bpf_prog_4675cb904b7071f8+0x12e/0x14e
bpf_prog_run_pin_on_cpu+0xc6/0x1f0
sk_psock_verdict_recv+0x1ba/0x350
udp_read_skb+0x31a/0x370
sk_psock_verdict_data_ready+0x2e3/0x600
__udp_enqueue_schedule_skb+0x4c8/0x650
udpv6_queue_rcv_one_skb+0x3ec/0x740
udp6_unicast_rcv_skb+0x11d/0x140
ip6_protocol_deliver_rcu+0x61e/0x950
ip6_input_finish+0xa9/0x150
NF_HOOK+0x286/0x2f0
ip6_input+0x117/0x220
NF_HOOK+0x286/0x2f0
__netif_receive_skb+0x85/0x200
process_backlog+0x374/0x9a0
__napi_poll+0x4f/0x1c0
net_rx_action+0x3b0/0x770
handle_softirqs+0x15a/0x460
do_softirq+0x57/0x80
</IRQ>
The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on
dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear
skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which
skb_set_owner_sk_safe() set just above.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
965b57b469a589d64d81b1688b38dcb537011bb0 , < 263779a6beff03b8b06f6d25566cb0f45af361f2
(git)
Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 1b585673a2249f13678e7ac443ac683ba767e0b6 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 90d35188aaa92b8f8b23f66335e0e91bf60103a3 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 6822eed69572000a181fa4e31fceacc60918c471 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1 (git) Affected: 965b57b469a589d64d81b1688b38dcb537011bb0 , < 3c94f241f776562c489876ff506f366224565c21 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "263779a6beff03b8b06f6d25566cb0f45af361f2",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "1b585673a2249f13678e7ac443ac683ba767e0b6",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "90d35188aaa92b8f8b23f66335e0e91bf60103a3",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "6822eed69572000a181fa4e31fceacc60918c471",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
},
{
"lessThan": "3c94f241f776562c489876ff506f366224565c21",
"status": "affected",
"version": "965b57b469a589d64d81b1688b38dcb537011bb0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: clear skb-\u003edev before running a sockmap verdict\n\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\ntruesize/state cache set by udp_set_dev_scratch()), through the\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\n\nWhen a UDP socket is in a sockmap, sk_data_ready is\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\n\n\tif (skb-\u003edev)\n\t\tcaller_net = dev_net(skb-\u003edev);\n\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\ndereferences it as a struct net_device * and the kernel takes a general\nprotection fault on a non-canonical address in softirq:\n\n Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\n CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\n RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\n RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\n Call Trace:\n \u003cIRQ\u003e\n bpf_prog_4675cb904b7071f8+0x12e/0x14e\n bpf_prog_run_pin_on_cpu+0xc6/0x1f0\n sk_psock_verdict_recv+0x1ba/0x350\n udp_read_skb+0x31a/0x370\n sk_psock_verdict_data_ready+0x2e3/0x600\n __udp_enqueue_schedule_skb+0x4c8/0x650\n udpv6_queue_rcv_one_skb+0x3ec/0x740\n udp6_unicast_rcv_skb+0x11d/0x140\n ip6_protocol_deliver_rcu+0x61e/0x950\n ip6_input_finish+0xa9/0x150\n NF_HOOK+0x286/0x2f0\n ip6_input+0x117/0x220\n NF_HOOK+0x286/0x2f0\n __netif_receive_skb+0x85/0x200\n process_backlog+0x374/0x9a0\n __napi_poll+0x4f/0x1c0\n net_rx_action+0x3b0/0x770\n handle_softirqs+0x15a/0x460\n do_softirq+0x57/0x80\n \u003c/IRQ\u003e\n\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\nskb_set_owner_sk_safe() set just above."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:58.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/263779a6beff03b8b06f6d25566cb0f45af361f2"
},
{
"url": "https://git.kernel.org/stable/c/1b585673a2249f13678e7ac443ac683ba767e0b6"
},
{
"url": "https://git.kernel.org/stable/c/90d35188aaa92b8f8b23f66335e0e91bf60103a3"
},
{
"url": "https://git.kernel.org/stable/c/6822eed69572000a181fa4e31fceacc60918c471"
},
{
"url": "https://git.kernel.org/stable/c/7d6d92d000ebe3a845a17c165c1d3a70c5d84fe1"
},
{
"url": "https://git.kernel.org/stable/c/3c94f241f776562c489876ff506f366224565c21"
}
],
"title": "udp: clear skb-\u003edev before running a sockmap verdict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53184",
"datePublished": "2026-06-25T08:38:58.189Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-28T06:39:58.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53275 (GCVE-0-2026-53275)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
ipv6: mcast: Fix use-after-free when processing MLD queries
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: Fix use-after-free when processing MLD queries
When processing an MLD query, a pointer to the multicast group address
is retrieved when initially parsing the packet. This pointer is later
dereferenced without being reloaded despite the fact that the skb header
might have been reallocated following the pskb_may_pull() calls, leading
to a use-after-free [1].
Fix by copying the multicast group address when the packet is initially
parsed.
[1]
BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
Workqueue: mld mld_query_work
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
print_address_description.constprop.0 (mm/kasan/report.c:378)
print_report (mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:595)
__mld_query_work (net/ipv6/mcast.c:1512)
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
</TASK>
[...]
Freed by task 118:
kasan_save_stack (mm/kasan/common.c:57)
kasan_save_track (mm/kasan/common.c:78)
kasan_save_free_info (mm/kasan/generic.c:584)
__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
pskb_expand_head (net/core/skbuff.c:2335)
__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97300b5fdfe28c6edae926926f9467a27cf5889c , < 1354271c89d0e5fbf8b3d94097ff0216695209c7
(git)
Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < 53baa63a4183291574483f89583dbef13677a2c4 (git) Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < 2a613bf497029d555a7428406aa8cdb84a503cea (git) Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < b2eb8886200b907fc71806869620609f0f4cacb0 (git) Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < 4203806f700bb44ea0b05d484d9d40044b47fb04 (git) Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < 087dbacf897c020f438f780f0a4a8aa73b6d7c5a (git) Affected: 97300b5fdfe28c6edae926926f9467a27cf5889c , < 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1354271c89d0e5fbf8b3d94097ff0216695209c7",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "53baa63a4183291574483f89583dbef13677a2c4",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "2a613bf497029d555a7428406aa8cdb84a503cea",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "b2eb8886200b907fc71806869620609f0f4cacb0",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "4203806f700bb44ea0b05d484d9d40044b47fb04",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "087dbacf897c020f438f780f0a4a8aa73b6d7c5a",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
},
{
"lessThan": "791c91dc7a9dfb2457d5e29b8216a6484b9c4b40",
"status": "affected",
"version": "97300b5fdfe28c6edae926926f9467a27cf5889c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Fix use-after-free when processing MLD queries\n\nWhen processing an MLD query, a pointer to the multicast group address\nis retrieved when initially parsing the packet. This pointer is later\ndereferenced without being reloaded despite the fact that the skb header\nmight have been reallocated following the pskb_may_pull() calls, leading\nto a use-after-free [1].\n\nFix by copying the multicast group address when the packet is initially\nparsed.\n\n[1]\nBUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)\nRead of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118\n\nWorkqueue: mld mld_query_work\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\nprint_report (mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:595)\n__mld_query_work (net/ipv6/mcast.c:1512)\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)\n\u003c/TASK\u003e\n\n[...]\n\nFreed by task 118:\nkasan_save_stack (mm/kasan/common.c:57)\nkasan_save_track (mm/kasan/common.c:78)\nkasan_save_free_info (mm/kasan/generic.c:584)\n__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)\nkfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)\npskb_expand_head (net/core/skbuff.c:2335)\n__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))\n__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:17.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1354271c89d0e5fbf8b3d94097ff0216695209c7"
},
{
"url": "https://git.kernel.org/stable/c/53baa63a4183291574483f89583dbef13677a2c4"
},
{
"url": "https://git.kernel.org/stable/c/2a613bf497029d555a7428406aa8cdb84a503cea"
},
{
"url": "https://git.kernel.org/stable/c/b2eb8886200b907fc71806869620609f0f4cacb0"
},
{
"url": "https://git.kernel.org/stable/c/4203806f700bb44ea0b05d484d9d40044b47fb04"
},
{
"url": "https://git.kernel.org/stable/c/087dbacf897c020f438f780f0a4a8aa73b6d7c5a"
},
{
"url": "https://git.kernel.org/stable/c/791c91dc7a9dfb2457d5e29b8216a6484b9c4b40"
}
],
"title": "ipv6: mcast: Fix use-after-free when processing MLD queries",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53275",
"datePublished": "2026-06-25T08:39:59.115Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:17.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52915 (GCVE-0-2026-52915)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
netfilter: ip6t_hbh: reject oversized option lists
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_hbh: reject oversized option lists
struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.
Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.
`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:
[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d523ba48d4ecc46acfb6aba548292cfcce1ac02
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 588933f1a2ca5ff99274f8c9f25dc3a25d0191c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 784aadea7a108c9f90985683caa87fb0198c6a39 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 41ec2e242f1702e8370ddfe14d22b7a766021c3e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db0250470f023f159094052c0bd5ab026a88ae93 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 57b0ac5e1b46f1f0338dff392ef2092e2871b412 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6feb43c0995ab3a9c826707eb46541a1696fe4f7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4322dcde6b4173c2d8e8e6118ed290794263bcc8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_hbh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d523ba48d4ecc46acfb6aba548292cfcce1ac02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "588933f1a2ca5ff99274f8c9f25dc3a25d0191c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "784aadea7a108c9f90985683caa87fb0198c6a39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41ec2e242f1702e8370ddfe14d22b7a766021c3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db0250470f023f159094052c0bd5ab026a88ae93",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57b0ac5e1b46f1f0338dff392ef2092e2871b412",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6feb43c0995ab3a9c826707eb46541a1696fe4f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4322dcde6b4173c2d8e8e6118ed290794263bcc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_hbh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_hbh: reject oversized option lists\n\nstruct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,\nbut hbh_mt6_check() does not reject larger optsnr values supplied from\nuserspace.\n\nValidate optsnr in the rule setup path so only match data that fits the\nfixed-size opts array can be installed. This follows the existing xtables\npattern of rejecting invalid user-provided counts in checkentry() and\nkeeps the packet matching path unchanged.\n\n`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,\nwhere `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:\n\n[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29\n[ 137.926167][ T8692] index 16 is out of range for type \u0027__u16 [16]\u0027"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:33.329Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02"
},
{
"url": "https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3"
},
{
"url": "https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39"
},
{
"url": "https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e"
},
{
"url": "https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93"
},
{
"url": "https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412"
},
{
"url": "https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7"
},
{
"url": "https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8"
}
],
"title": "netfilter: ip6t_hbh: reject oversized option lists",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52915",
"datePublished": "2026-06-24T07:14:12.569Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-28T06:36:33.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53154 (GCVE-0-2026-53154)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: restore reservation on error in hugetlb folio copy paths
Two sites in mm/hugetlb.c allocate a hugetlb folio via
alloc_hugetlb_folio() (consuming a VMA reservation) and then call
copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c
("mm: hwpoison: support recovery from HugePage copy-on-write faults") and
can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the
failure path, folio_put() restores the global hugetlb pool count through
free_huge_folio(), but the per-VMA reservation map entry is left marked
consumed:
- hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
- copy_hugetlb_page_range() fork-time CoW path when
hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
folio under fork)
User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the
resubmission copy fails, the reservation for that address is leaked from
the VMA's reserve map. A subsequent fault at the same address takes the
no-reservation path, and under hugetlb pool pressure the task is SIGBUSed
at an address it had previously reserved. The fork-time CoW path leaks
the same way in the child VMA's reserve map, though it requires the much
rarer combination of pinned hugetlb anon page + hwpoisoned source.
Add the missing restore_reserve_on_error() call before folio_put() on both
error paths.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1cb9dc4b475c7418f925ab0c97b6750007d9f52e , < 8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38
(git)
Affected: 1cb9dc4b475c7418f925ab0c97b6750007d9f52e , < e47bf16af3c45470ea32f2241fa69aefe0dd61bd (git) Affected: 1cb9dc4b475c7418f925ab0c97b6750007d9f52e , < c72469ac0f274bde3f0df60a4584e14a123d0aa6 (git) Affected: 1cb9dc4b475c7418f925ab0c97b6750007d9f52e , < 45e33d43243d71d089af42f5077b8213cee6610f (git) Affected: 1cb9dc4b475c7418f925ab0c97b6750007d9f52e , < 40c81856e622a9dc59294a90d169ac07ea25b0b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38",
"status": "affected",
"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e",
"versionType": "git"
},
{
"lessThan": "e47bf16af3c45470ea32f2241fa69aefe0dd61bd",
"status": "affected",
"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e",
"versionType": "git"
},
{
"lessThan": "c72469ac0f274bde3f0df60a4584e14a123d0aa6",
"status": "affected",
"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e",
"versionType": "git"
},
{
"lessThan": "45e33d43243d71d089af42f5077b8213cee6610f",
"status": "affected",
"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e",
"versionType": "git"
},
{
"lessThan": "40c81856e622a9dc59294a90d169ac07ea25b0b0",
"status": "affected",
"version": "1cb9dc4b475c7418f925ab0c97b6750007d9f52e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore reservation on error in hugetlb folio copy paths\n\nTwo sites in mm/hugetlb.c allocate a hugetlb folio via\nalloc_hugetlb_folio() (consuming a VMA reservation) and then call\ncopy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c\n(\"mm: hwpoison: support recovery from HugePage copy-on-write faults\") and\ncan now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the\nfailure path, folio_put() restores the global hugetlb pool count through\nfree_huge_folio(), but the per-VMA reservation map entry is left marked\nconsumed:\n\n - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)\n - copy_hugetlb_page_range() fork-time CoW path when\n hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon\n folio under fork)\n\nUser-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the\nresubmission copy fails, the reservation for that address is leaked from\nthe VMA\u0027s reserve map. A subsequent fault at the same address takes the\nno-reservation path, and under hugetlb pool pressure the task is SIGBUSed\nat an address it had previously reserved. The fork-time CoW path leaks\nthe same way in the child VMA\u0027s reserve map, though it requires the much\nrarer combination of pinned hugetlb anon page + hwpoisoned source.\n\nAdd the missing restore_reserve_on_error() call before folio_put() on both\nerror paths."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:38.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d6e1dd3ad1340cd8b6d554b7aa93d8f0a1c6d38"
},
{
"url": "https://git.kernel.org/stable/c/e47bf16af3c45470ea32f2241fa69aefe0dd61bd"
},
{
"url": "https://git.kernel.org/stable/c/c72469ac0f274bde3f0df60a4584e14a123d0aa6"
},
{
"url": "https://git.kernel.org/stable/c/45e33d43243d71d089af42f5077b8213cee6610f"
},
{
"url": "https://git.kernel.org/stable/c/40c81856e622a9dc59294a90d169ac07ea25b0b0"
}
],
"title": "mm/hugetlb: restore reservation on error in hugetlb folio copy paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53154",
"datePublished": "2026-06-25T08:38:38.168Z",
"dateReserved": "2026-06-09T07:44:35.388Z",
"dateUpdated": "2026-06-25T08:38:38.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53242 (GCVE-0-2026-53242)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
snd_pcm_drain() uses init_waitqueue_entry which does not clear
entry.prev/next, and add_wait_queue with a conditional
remove_wait_queue that is skipped when to_check is no longer
in the group after concurrent UNLINK. The orphaned wait entry
remains on the unlinked substream sleep queue. On the next
drain iteration, add_wait_queue adds the entry to a new queue
while still linked on the old one, corrupting both lists. A
subsequent wake_up dereferences NULL at the func pointer
(mapped from the spinlock at offset 0 of the misinterpreted
wait_queue_head_t), causing a kernel panic.
Replace init_waitqueue_entry/add_wait_queue/conditional
remove_wait_queue with init_wait_entry/prepare_to_wait/
finish_wait. init_wait_entry clears prev/next via
INIT_LIST_HEAD on each iteration and sets
autoremove_wake_function which auto-removes the entry on
wake-up. finish_wait safely handles both the already-removed
and still-queued cases.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9baee36e8c5443411c4629afabafaff8a46a23fd , < cac5bf3500ee6422cf64e0df0b5daeecfed42917
(git)
Affected: fc71f888994569f87d5bee20b1ac6c9c1e3a7a79 , < d842f26a167e77a36f3ed333b9fa99d36ef99fe6 (git) Affected: 629cf09464cf98670996ea5c191dc9743e6f3f00 , < d68b621bb5a48051932f1017a6e1bc9b18f854d0 (git) Affected: ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432 , < b053fcd8912f06c30f932f5b8ec41c72de474695 (git) Affected: 4a758e9a1f5ed722f83c4dd35f867fe811553bcb , < cd98837db15f323463b8df07282ac723bd5c3fed (git) Affected: 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 , < 7c71a9522555ff137a9ca36b15d759ca04d84788 (git) Affected: 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 , < 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b (git) Affected: c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694 (git) Affected: 5.10.253 , < 5.10.259 (semver) Affected: 6.1.167 , < 6.1.176 (semver) Affected: 6.6.130 , < 6.6.143 (semver) Affected: 6.12.78 , < 6.12.94 (semver) Affected: 6.18.19 , < 6.18.36 (semver) Affected: 6.19.9 , < 6.20 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cac5bf3500ee6422cf64e0df0b5daeecfed42917",
"status": "affected",
"version": "9baee36e8c5443411c4629afabafaff8a46a23fd",
"versionType": "git"
},
{
"lessThan": "d842f26a167e77a36f3ed333b9fa99d36ef99fe6",
"status": "affected",
"version": "fc71f888994569f87d5bee20b1ac6c9c1e3a7a79",
"versionType": "git"
},
{
"lessThan": "d68b621bb5a48051932f1017a6e1bc9b18f854d0",
"status": "affected",
"version": "629cf09464cf98670996ea5c191dc9743e6f3f00",
"versionType": "git"
},
{
"lessThan": "b053fcd8912f06c30f932f5b8ec41c72de474695",
"status": "affected",
"version": "ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432",
"versionType": "git"
},
{
"lessThan": "cd98837db15f323463b8df07282ac723bd5c3fed",
"status": "affected",
"version": "4a758e9a1f5ed722f83c4dd35f867fe811553bcb",
"versionType": "git"
},
{
"lessThan": "7c71a9522555ff137a9ca36b15d759ca04d84788",
"status": "affected",
"version": "9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6",
"versionType": "git"
},
{
"lessThan": "88fe2e3658726cb21ff2dcf9770bf672f9b9d31b",
"status": "affected",
"version": "9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6",
"versionType": "git"
},
{
"status": "affected",
"version": "c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694",
"versionType": "git"
},
{
"lessThan": "5.10.259",
"status": "affected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThan": "6.20",
"status": "affected",
"version": "6.19.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.19.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams\n\nsnd_pcm_drain() uses init_waitqueue_entry which does not clear\nentry.prev/next, and add_wait_queue with a conditional\nremove_wait_queue that is skipped when to_check is no longer\nin the group after concurrent UNLINK. The orphaned wait entry\nremains on the unlinked substream sleep queue. On the next\ndrain iteration, add_wait_queue adds the entry to a new queue\nwhile still linked on the old one, corrupting both lists. A\nsubsequent wake_up dereferences NULL at the func pointer\n(mapped from the spinlock at offset 0 of the misinterpreted\nwait_queue_head_t), causing a kernel panic.\n\nReplace init_waitqueue_entry/add_wait_queue/conditional\nremove_wait_queue with init_wait_entry/prepare_to_wait/\nfinish_wait. init_wait_entry clears prev/next via\nINIT_LIST_HEAD on each iteration and sets\nautoremove_wake_function which auto-removes the entry on\nwake-up. finish_wait safely handles both the already-removed\nand still-queued cases."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:49.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cac5bf3500ee6422cf64e0df0b5daeecfed42917"
},
{
"url": "https://git.kernel.org/stable/c/d842f26a167e77a36f3ed333b9fa99d36ef99fe6"
},
{
"url": "https://git.kernel.org/stable/c/d68b621bb5a48051932f1017a6e1bc9b18f854d0"
},
{
"url": "https://git.kernel.org/stable/c/b053fcd8912f06c30f932f5b8ec41c72de474695"
},
{
"url": "https://git.kernel.org/stable/c/cd98837db15f323463b8df07282ac723bd5c3fed"
},
{
"url": "https://git.kernel.org/stable/c/7c71a9522555ff137a9ca36b15d759ca04d84788"
},
{
"url": "https://git.kernel.org/stable/c/88fe2e3658726cb21ff2dcf9770bf672f9b9d31b"
}
],
"title": "ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53242",
"datePublished": "2026-06-25T08:39:37.129Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-28T06:40:49.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55200 (GCVE-0-2026-55200)
Vulnerability from cvelistv5 – Published: 2026-06-17 19:03 – Updated: 2026-07-01 03:55 X_Open Source
VLAI?
EPSS
Title
libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
Summary
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
Severity ?
8.1 (High)
CWE
- CWE-680 - Integer Overflow to Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Tristan Madani (@TristanInSec)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T03:55:44.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20260623211210/https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "libssh2",
"repo": "https://github.com/libssh2/libssh2",
"vendor": "libssh2",
"versions": [
{
"lessThanOrEqual": "1.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7acf3dfda80c91c3a8c9f2372546301d4a1a7a8",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.11.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec)"
}
],
"datePublic": "2026-06-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-680",
"description": "Integer Overflow to Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T11:46:01.897Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Pull Request",
"tags": [
"issue-tracking"
],
"url": "https://github.com/libssh2/libssh2/pull/2052"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c"
}
],
"tags": [
"x_open-source"
],
"title": "libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-55200",
"datePublished": "2026-06-17T19:03:15.183Z",
"dateReserved": "2026-06-16T15:53:37.764Z",
"dateUpdated": "2026-07-01T03:55:44.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52912 (GCVE-0-2026-52912)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
netfilter: nf_queue: hold bridge skb->dev while queued
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_queue: hold bridge skb->dev while queued
br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.
When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.
Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac28634456867b23b95faccba7997a62ec430603 , < 950d809f154dca04e5fbe5d3c8b9c5e44769cd57
(git)
Affected: ac28634456867b23b95faccba7997a62ec430603 , < a698ac8ab2561cf575d2d9f34095032651dd952e (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < 19924bdd8a45ebc72a7b84c57fd63057d1dc75ac (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < 1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < 3823c27099cfe2482299065814adbaa771be9644 (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < 15d464265120ab9818bd673af301deee09bedab2 (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < 3fb0f5c0f64162a8c3f25616a4f1e340b921737f (git) Affected: ac28634456867b23b95faccba7997a62ec430603 , < e196115ec330a18de415bdb9f5071aa9f08e53ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_queue.h",
"net/netfilter/nf_queue.c",
"net/netfilter/nfnetlink_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "950d809f154dca04e5fbe5d3c8b9c5e44769cd57",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "a698ac8ab2561cf575d2d9f34095032651dd952e",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "19924bdd8a45ebc72a7b84c57fd63057d1dc75ac",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "3823c27099cfe2482299065814adbaa771be9644",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "15d464265120ab9818bd673af301deee09bedab2",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "3fb0f5c0f64162a8c3f25616a4f1e340b921737f",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
},
{
"lessThan": "e196115ec330a18de415bdb9f5071aa9f08e53ce",
"status": "affected",
"version": "ac28634456867b23b95faccba7997a62ec430603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_queue.h",
"net/netfilter/nf_queue.c",
"net/netfilter/nfnetlink_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: hold bridge skb-\u003edev while queued\n\nbr_pass_frame_up() rewrites skb-\u003edev from the ingress port to the bridge\nmaster before queueing bridge LOCAL_IN packets. NFQUEUE only holds\nreferences on state.in/out and bridge physdevs, so a queued bridge\npacket can retain a freed bridge master in skb-\u003edev until reinjection.\n\nWhen the verdict is reinjected later, br_netif_receive_skb() re-enters\nthe receive path with skb-\u003edev still pointing at the freed bridge master,\ntriggering a use-after-free.\n\nStore skb-\u003edev in the queue entry, hold a reference on it for the queue\nlifetime, and use the saved device when dropping queued packets during\nNETDEV_DOWN handling."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:30.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/950d809f154dca04e5fbe5d3c8b9c5e44769cd57"
},
{
"url": "https://git.kernel.org/stable/c/a698ac8ab2561cf575d2d9f34095032651dd952e"
},
{
"url": "https://git.kernel.org/stable/c/19924bdd8a45ebc72a7b84c57fd63057d1dc75ac"
},
{
"url": "https://git.kernel.org/stable/c/1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be"
},
{
"url": "https://git.kernel.org/stable/c/3823c27099cfe2482299065814adbaa771be9644"
},
{
"url": "https://git.kernel.org/stable/c/15d464265120ab9818bd673af301deee09bedab2"
},
{
"url": "https://git.kernel.org/stable/c/3fb0f5c0f64162a8c3f25616a4f1e340b921737f"
},
{
"url": "https://git.kernel.org/stable/c/e196115ec330a18de415bdb9f5071aa9f08e53ce"
}
],
"title": "netfilter: nf_queue: hold bridge skb-\u003edev while queued",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52912",
"datePublished": "2026-06-24T07:14:10.583Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-28T06:36:30.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52913 (GCVE-0-2026-52913)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
batman-adv: v: stop OGMv2 on disabled interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: v: stop OGMv2 on disabled interface
When a batadv_hard_iface is disabled, its mesh_iface pointer is set to
NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via
batadv_v_ogm_queue_on_if() for interfaces that have since lost their
mesh_iface association. This results in a NULL pointer dereference when
batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the
now NULL hard_iface->mesh_iface to retrieve the batadv_priv.
It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that
it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was
called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0da0035942d47766c32843143fb5dba7a29cb48c , < d7391a2b854a62235539c68e9cbf6fc7910a8e9a
(git)
Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < 70c9f6ab0d8f785087fb74fb85464a9a5288bfdb (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < 040fe8eb34624002071dd21de9824dfe668ce65d (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < 31dcb9711abd1dcd2080d9fac05c79dd9997d6bf (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < aad70db50ea3d7dfe30e402b889ff075a293b287 (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < 1be1e99cbd5b74a69d3f92200ca87cf1bce852db (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < 4ff461af943efb5e74d09942d5ffee7644d1e1fe (git) Affected: 0da0035942d47766c32843143fb5dba7a29cb48c , < f8ce8b8331a1bc44ad4905886a482214d428b253 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7391a2b854a62235539c68e9cbf6fc7910a8e9a",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "70c9f6ab0d8f785087fb74fb85464a9a5288bfdb",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "040fe8eb34624002071dd21de9824dfe668ce65d",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "31dcb9711abd1dcd2080d9fac05c79dd9997d6bf",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "aad70db50ea3d7dfe30e402b889ff075a293b287",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "1be1e99cbd5b74a69d3f92200ca87cf1bce852db",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "4ff461af943efb5e74d09942d5ffee7644d1e1fe",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
},
{
"lessThan": "f8ce8b8331a1bc44ad4905886a482214d428b253",
"status": "affected",
"version": "0da0035942d47766c32843143fb5dba7a29cb48c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: v: stop OGMv2 on disabled interface\n\nWhen a batadv_hard_iface is disabled, its mesh_iface pointer is set to\nNULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via\nbatadv_v_ogm_queue_on_if() for interfaces that have since lost their\nmesh_iface association. This results in a NULL pointer dereference when\nbatadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the\nnow NULL hard_iface-\u003emesh_iface to retrieve the batadv_priv.\n\nIt is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that\nit is using the same mesh_iface for which batadv_v_ogm_send_meshif() was\ncalled."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:11.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7391a2b854a62235539c68e9cbf6fc7910a8e9a"
},
{
"url": "https://git.kernel.org/stable/c/70c9f6ab0d8f785087fb74fb85464a9a5288bfdb"
},
{
"url": "https://git.kernel.org/stable/c/040fe8eb34624002071dd21de9824dfe668ce65d"
},
{
"url": "https://git.kernel.org/stable/c/31dcb9711abd1dcd2080d9fac05c79dd9997d6bf"
},
{
"url": "https://git.kernel.org/stable/c/aad70db50ea3d7dfe30e402b889ff075a293b287"
},
{
"url": "https://git.kernel.org/stable/c/1be1e99cbd5b74a69d3f92200ca87cf1bce852db"
},
{
"url": "https://git.kernel.org/stable/c/4ff461af943efb5e74d09942d5ffee7644d1e1fe"
},
{
"url": "https://git.kernel.org/stable/c/f8ce8b8331a1bc44ad4905886a482214d428b253"
}
],
"title": "batman-adv: v: stop OGMv2 on disabled interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52913",
"datePublished": "2026-06-24T07:14:11.248Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-24T07:14:11.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53237 (GCVE-0-2026-53237)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
gpio: mvebu: fix NULL pointer dereference in suspend/resume
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: mvebu: fix NULL pointer dereference in suspend/resume
mvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO
banks during suspend/resume, but not all banks have PWM functionality.
GPIO banks without PWM have mvchip->mvpwm set to NULL.
Calling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer
dereference when it tries to access mvpwm->blink_select.
Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write
[00000020] *pgd=00000000
Internal error: Oops: 815 [#1] PREEMPT ARM
Modules linked in:
CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353
Hardware name: Marvell Armada 370/XP (Device Tree)
PC is at regmap_mmio_read+0x38/0x54
LR is at regmap_mmio_read+0x38/0x54
pc : [<c05fd2ac>] lr : [<c05fd2ac>] psr: 200f0013
sp : f0c11d10 ip : 00000000 fp : c100d2f0
r10: c14fb854 r9 : 00000000 r8 : 00000000
r7 : c1799c00 r6 : 00000020 r5 : 00000020 r4 : c179c7c0
r3 : f0a231a0 r2 : 00000020 r1 : 00000020 r0 : 00000000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 135ec059 DAC: 00000051
Call trace:
regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac
_regmap_bus_reg_read from _regmap_read+0x60/0x154
_regmap_read from regmap_read+0x3c/0x60
regmap_read from mvebu_gpio_suspend+0xa4/0x14c
mvebu_gpio_suspend from dpm_run_callback+0x54/0x180
dpm_run_callback from device_suspend+0x124/0x630
device_suspend from dpm_suspend+0x124/0x270
dpm_suspend from dpm_suspend_start+0x64/0x6c
dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8
suspend_devices_and_enter from pm_suspend+0x2fc/0x308
pm_suspend from state_store+0x6c/0xc8
state_store from kernfs_fop_write_iter+0x10c/0x1f8
kernfs_fop_write_iter from vfs_write+0x270/0x468
vfs_write from ksys_write+0x70/0xf0
ksys_write from ret_fast_syscall+0x0/0x54
Add a NULL check for mvchip->mvpwm before calling the PWM
suspend/resume functions.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
757642f9a584e893f3f4e50c99b674ee8a3ed363 , < 7db09011ce62162d72897fc4856b4425245dfe35
(git)
Affected: 757642f9a584e893f3f4e50c99b674ee8a3ed363 , < 4ef24338eda3c7e96d6f94a988266ff16ed3985d (git) Affected: 757642f9a584e893f3f4e50c99b674ee8a3ed363 , < 6136c1474db88272231573e222896e1998d34662 (git) Affected: 757642f9a584e893f3f4e50c99b674ee8a3ed363 , < c9677a9274ffb44987ec209dc8ec9f2d34946956 (git) Affected: 757642f9a584e893f3f4e50c99b674ee8a3ed363 , < b9ad50d7505ebd48282ec3630258dc820fc85c81 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mvebu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7db09011ce62162d72897fc4856b4425245dfe35",
"status": "affected",
"version": "757642f9a584e893f3f4e50c99b674ee8a3ed363",
"versionType": "git"
},
{
"lessThan": "4ef24338eda3c7e96d6f94a988266ff16ed3985d",
"status": "affected",
"version": "757642f9a584e893f3f4e50c99b674ee8a3ed363",
"versionType": "git"
},
{
"lessThan": "6136c1474db88272231573e222896e1998d34662",
"status": "affected",
"version": "757642f9a584e893f3f4e50c99b674ee8a3ed363",
"versionType": "git"
},
{
"lessThan": "c9677a9274ffb44987ec209dc8ec9f2d34946956",
"status": "affected",
"version": "757642f9a584e893f3f4e50c99b674ee8a3ed363",
"versionType": "git"
},
{
"lessThan": "b9ad50d7505ebd48282ec3630258dc820fc85c81",
"status": "affected",
"version": "757642f9a584e893f3f4e50c99b674ee8a3ed363",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mvebu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mvebu: fix NULL pointer dereference in suspend/resume\n\nmvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO\nbanks during suspend/resume, but not all banks have PWM functionality.\nGPIO banks without PWM have mvchip-\u003emvpwm set to NULL.\n\nCalling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer\ndereference when it tries to access mvpwm-\u003eblink_select.\n\n Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write\n [00000020] *pgd=00000000\n Internal error: Oops: 815 [#1] PREEMPT ARM\n Modules linked in:\n CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353\n Hardware name: Marvell Armada 370/XP (Device Tree)\n PC is at regmap_mmio_read+0x38/0x54\n LR is at regmap_mmio_read+0x38/0x54\n pc : [\u003cc05fd2ac\u003e] lr : [\u003cc05fd2ac\u003e] psr: 200f0013\n sp : f0c11d10 ip : 00000000 fp : c100d2f0\n r10: c14fb854 r9 : 00000000 r8 : 00000000\n r7 : c1799c00 r6 : 00000020 r5 : 00000020 r4 : c179c7c0\n r3 : f0a231a0 r2 : 00000020 r1 : 00000020 r0 : 00000000\n Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\n Control: 10c5387d Table: 135ec059 DAC: 00000051\n Call trace:\n regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac\n _regmap_bus_reg_read from _regmap_read+0x60/0x154\n _regmap_read from regmap_read+0x3c/0x60\n regmap_read from mvebu_gpio_suspend+0xa4/0x14c\n mvebu_gpio_suspend from dpm_run_callback+0x54/0x180\n dpm_run_callback from device_suspend+0x124/0x630\n device_suspend from dpm_suspend+0x124/0x270\n dpm_suspend from dpm_suspend_start+0x64/0x6c\n dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8\n suspend_devices_and_enter from pm_suspend+0x2fc/0x308\n pm_suspend from state_store+0x6c/0xc8\n state_store from kernfs_fop_write_iter+0x10c/0x1f8\n kernfs_fop_write_iter from vfs_write+0x270/0x468\n vfs_write from ksys_write+0x70/0xf0\n ksys_write from ret_fast_syscall+0x0/0x54\n\nAdd a NULL check for mvchip-\u003emvpwm before calling the PWM\nsuspend/resume functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:33.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7db09011ce62162d72897fc4856b4425245dfe35"
},
{
"url": "https://git.kernel.org/stable/c/4ef24338eda3c7e96d6f94a988266ff16ed3985d"
},
{
"url": "https://git.kernel.org/stable/c/6136c1474db88272231573e222896e1998d34662"
},
{
"url": "https://git.kernel.org/stable/c/c9677a9274ffb44987ec209dc8ec9f2d34946956"
},
{
"url": "https://git.kernel.org/stable/c/b9ad50d7505ebd48282ec3630258dc820fc85c81"
}
],
"title": "gpio: mvebu: fix NULL pointer dereference in suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53237",
"datePublished": "2026-06-25T08:39:33.833Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-25T08:39:33.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53143 (GCVE-0-2026-53143)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
The v11 MQD manager incorrectly assigned the CP-compute variants of
checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions
use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct
v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.
During CRIU checkpoint of an SDMA queue on Navi3x:
- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,
leaking 1536 bytes of adjacent GTT memory to userspace
During CRIU restore:
- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,
corrupting 1536 bytes of adjacent GTT memory (often the ring buffer
or neighboring MQDs)
This is a copy-paste regression unique to v11. All other ASIC backends
(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.
Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly
handle the smaller v11_sdma_mqd structure, matching the pattern used in
other MQD managers.
(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)
Severity ?
CWE
- CWE-131 - Incorrect Calculation of Buffer Size
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc009e613de6560eb499f8bc92c80a737752cb30 , < 16dad1fb0d783a4008de30e32d0038c393de05b1
(git)
Affected: cc009e613de6560eb499f8bc92c80a737752cb30 , < 2c5b66c9b4057b385566940935ebc32f6e6ebfd2 (git) Affected: cc009e613de6560eb499f8bc92c80a737752cb30 , < d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64 (git) Affected: cc009e613de6560eb499f8bc92c80a737752cb30 , < d02f05d30f35b036f7cbaf72de634affb5b38ec6 (git) Affected: cc009e613de6560eb499f8bc92c80a737752cb30 , < 352ea59028ea48a6fff77f19ae28f98f71946a80 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s AMD KFD (Kernel Fusion Driver) component. This buffer overflow vulnerability occurs due to incorrect memory buffer handling during CRIU (Checkpoint/Restore in User-space) operations on SDMA (System Direct Memory Access) queues. A local attacker can exploit this flaw during CRIU restore operations, which can lead to memory corruption in adjacent kernel memory, potentially impacting system stability or leading to further compromise. Additionally, during CRIU checkpoint operations, this vulnerability can result in information disclosure of adjacent kernel memory to userspace."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:34.325Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53143"
},
{
"name": "RHBZ#2492719",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492719"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53143.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16dad1fb0d783a4008de30e32d0038c393de05b1",
"status": "affected",
"version": "cc009e613de6560eb499f8bc92c80a737752cb30",
"versionType": "git"
},
{
"lessThan": "2c5b66c9b4057b385566940935ebc32f6e6ebfd2",
"status": "affected",
"version": "cc009e613de6560eb499f8bc92c80a737752cb30",
"versionType": "git"
},
{
"lessThan": "d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64",
"status": "affected",
"version": "cc009e613de6560eb499f8bc92c80a737752cb30",
"versionType": "git"
},
{
"lessThan": "d02f05d30f35b036f7cbaf72de634affb5b38ec6",
"status": "affected",
"version": "cc009e613de6560eb499f8bc92c80a737752cb30",
"versionType": "git"
},
{
"lessThan": "352ea59028ea48a6fff77f19ae28f98f71946a80",
"status": "affected",
"version": "cc009e613de6560eb499f8bc92c80a737752cb30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11\n\nThe v11 MQD manager incorrectly assigned the CP-compute variants of\ncheckpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions\nuse sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct\nv11_sdma_mqd) (512 bytes), causing a 1536-byte overflow.\n\nDuring CRIU checkpoint of an SDMA queue on Navi3x:\n- checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer,\n leaking 1536 bytes of adjacent GTT memory to userspace\n\nDuring CRIU restore:\n- restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer,\n corrupting 1536 bytes of adjacent GTT memory (often the ring buffer\n or neighboring MQDs)\n\nThis is a copy-paste regression unique to v11. All other ASIC backends\n(cik, vi, v9, v10, v12) correctly use the SDMA-specific variants.\n\nAdd checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly\nhandle the smaller v11_sdma_mqd structure, matching the pattern used in\nother MQD managers.\n\n(cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:30.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1"
},
{
"url": "https://git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2"
},
{
"url": "https://git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64"
},
{
"url": "https://git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6"
},
{
"url": "https://git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80"
}
],
"title": "drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53143",
"datePublished": "2026-06-25T08:38:30.901Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-30T12:09:34.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53221 (GCVE-0-2026-53221)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:
- Tunnels matching the packet's local address, with any remote address
wildcard remote).
- Tunnels matching the packet's remote address, with any local address
(wildcard local).
However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < c327fa4fca31415431202e063767a7ae342e19c6
(git)
Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < fc657ac0767c49839b3ef0b08dc0953ca30883f8 (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < 47fb3c2b4203556308e64354b3e78f2ce221d646 (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < f513f308cc4bdb4530d033431592ffbc29b7fca1 (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < 90fd4513315ca07da99cfd8549d3e553a7160f0d (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < 2abfb19bbb81958714ad1d43ebeb65b30394184b (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d (git) Affected: fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 , < a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c327fa4fca31415431202e063767a7ae342e19c6",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "fc657ac0767c49839b3ef0b08dc0953ca30883f8",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "47fb3c2b4203556308e64354b3e78f2ce221d646",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "f513f308cc4bdb4530d033431592ffbc29b7fca1",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "90fd4513315ca07da99cfd8549d3e553a7160f0d",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "2abfb19bbb81958714ad1d43ebeb65b30394184b",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
},
{
"lessThan": "a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9",
"status": "affected",
"version": "fbe68ee87522f6eaa10f9076c0a7117e1613f2f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()\n\nIn vti6_tnl_lookup(), when an exact match for a tunnel fails,\nthe code falls back to searching for wildcard tunnels:\n\n- Tunnels matching the packet\u0027s local address, with any remote address\n wildcard remote).\n\n- Tunnels matching the packet\u0027s remote address, with any local address\n (wildcard local).\n\nHowever, vti6 stores all these different types of tunnels in the same\nhash table (ip6n-\u003etnls_r_l) prone to hash collisions.\n\nThe bug is that the fallback search loops in vti6_tnl_lookup() were\nmissing checks to ensure that the candidate tunnel actually has\na wildcard address."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:33.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c327fa4fca31415431202e063767a7ae342e19c6"
},
{
"url": "https://git.kernel.org/stable/c/fc657ac0767c49839b3ef0b08dc0953ca30883f8"
},
{
"url": "https://git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646"
},
{
"url": "https://git.kernel.org/stable/c/f513f308cc4bdb4530d033431592ffbc29b7fca1"
},
{
"url": "https://git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d"
},
{
"url": "https://git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b"
},
{
"url": "https://git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d"
},
{
"url": "https://git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9"
}
],
"title": "ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53221",
"datePublished": "2026-06-25T08:39:23.177Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-28T06:40:33.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52927 (GCVE-0-2026-52927)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.
Based on an earlier patch from Luxiao Xu.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
81e675c227ec60a0bdcbb547dc530ebee23ff931 , < d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00
(git)
Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < 21af4c030567d2e6c89bb927bc18b51fba52a400 (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < dad9ebf8107955bb54bd3f9cf22591b6ff37bac1 (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < a27cb7325a6c69970041c7f8541fafed5a1ea3ec (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < 7ad0e463fc7eafae2141cc38054264636f8b3e94 (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < bf8e8eac7ede51dc318e06acef5a896dcbba7595 (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < fcc4c043d137e7f1de4673dba1f3116e45377c67 (git) Affected: 81e675c227ec60a0bdcbb547dc530ebee23ff931 , < f438d1786d657d57790c5d138d6db3fc9fdac392 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebtables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "21af4c030567d2e6c89bb927bc18b51fba52a400",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "dad9ebf8107955bb54bd3f9cf22591b6ff37bac1",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "a27cb7325a6c69970041c7f8541fafed5a1ea3ec",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "7ad0e463fc7eafae2141cc38054264636f8b3e94",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "bf8e8eac7ede51dc318e06acef5a896dcbba7595",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "fcc4c043d137e7f1de4673dba1f3116e45377c67",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
},
{
"lessThan": "f438d1786d657d57790c5d138d6db3fc9fdac392",
"status": "affected",
"version": "81e675c227ec60a0bdcbb547dc530ebee23ff931",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebtables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix OOB read in compat_mtw_from_user\n\nLuxiao Xu says:\n\n The function compat_mtw_from_user() converts ebtables extensions from\n 32-bit user structures to kernel native structures. However, it lacks\n proper validation of the user-supplied match_size/target_size.\n\n When certain extensions are processed, the kernel-side translation\n logic may perform memory accesses based on the extension\u0027s expected\n size. If the user provides a size smaller than what the extension\n requires, it results in an out-of-bounds read as reported by KASAN.\n\n This fix introduces a check to ensure match_size is at least as large\n as the extension\u0027s required compatsize. This covers matches, watchers,\n and targets, while maintaining compatibility with standard targets.\n\nAFAIU this is relevant for matches that need to go though\nmatch-\u003ecompat_from_user() call. Those that use plain memcpy with the\nuser-provided size are ok because the caller checks that size vs the\nstart of the next rule entry offset (which itself is checked vs. total\nsize copied from userspace).\n\nThe -\u003ecompat_from_user() callbacks assume they can read compatsize bytes,\nso they need this extra check.\n\nBased on an earlier patch from Luxiao Xu."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:48.195Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7a8fb6f10d55a1c37b0bf8c20cca24dffd76e00"
},
{
"url": "https://git.kernel.org/stable/c/21af4c030567d2e6c89bb927bc18b51fba52a400"
},
{
"url": "https://git.kernel.org/stable/c/dad9ebf8107955bb54bd3f9cf22591b6ff37bac1"
},
{
"url": "https://git.kernel.org/stable/c/a27cb7325a6c69970041c7f8541fafed5a1ea3ec"
},
{
"url": "https://git.kernel.org/stable/c/7ad0e463fc7eafae2141cc38054264636f8b3e94"
},
{
"url": "https://git.kernel.org/stable/c/bf8e8eac7ede51dc318e06acef5a896dcbba7595"
},
{
"url": "https://git.kernel.org/stable/c/fcc4c043d137e7f1de4673dba1f3116e45377c67"
},
{
"url": "https://git.kernel.org/stable/c/f438d1786d657d57790c5d138d6db3fc9fdac392"
}
],
"title": "netfilter: ebtables: fix OOB read in compat_mtw_from_user",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52927",
"datePublished": "2026-06-24T07:14:20.704Z",
"dateReserved": "2026-06-09T07:44:35.368Z",
"dateUpdated": "2026-06-28T06:36:48.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52947 (GCVE-0-2026-52947)
Vulnerability from cvelistv5 – Published: 2026-06-24 16:26 – Updated: 2026-06-28 06:37
VLAI?
EPSS
Title
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
In qrtr_port_remove(), the socket reference count is decremented via
__sock_put() before the port is removed from the qrtr_ports XArray and
before the RCU grace period elapses.
This breaks the fundamental RCU update paradigm. It exposes a race
window where a concurrent RCU reader (such as qrtr_reset_ports() or
qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
and attempt to call sock_hold() on a socket whose reference count has
already dropped to zero.
This exact race condition was hit during syzkaller fuzzing, leading to
the following refcount saturation warning and a potential Use-After-Free:
refcount_t: saturated; leaking memory.
WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
Modules linked in: qrtr(+) bochs drm_shmem_helper ...
Call Trace:
<TASK>
qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
__qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
kernel_bind+0xe4/0x120 net/socket.c:3592
qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
do_one_initcall+0xf5/0x5e0 init/main.c:1283
...
</TASK>
Fix this by deferring the reference count decrement until after the
xa_erase() and the synchronize_rcu() complete.
(Note: The v1 of this patch incorrectly replaced __sock_put() with
sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
still hold a reference to the socket, so freeing the socket memory here
would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
kept, but only repositioned to close the RCU race.)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 2aa4c12723fe432e623462a3be42a197a128722b
(git)
Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 03bfa95e452e2b6ccd76a332060ae4feaf5ad84d (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 474293d90880622fde9d2430fb0165767090f7b3 (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 2047c2aa0963bb2872fd722300a15bcb441a4c00 (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 7de2d447072be3b1a76793f034432338fc9c494b (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < ab269990ed58143a92a263be1bee626d82ac03da (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < 3b20ec8f31e8a6a6782243f473b0abd3463621df (git) Affected: bdabad3e363d825ddf9679dd431cca0b2c30f881 , < a2171131ecda1ed61a594a1eb715e75fdad0fef5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2aa4c12723fe432e623462a3be42a197a128722b",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "03bfa95e452e2b6ccd76a332060ae4feaf5ad84d",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "474293d90880622fde9d2430fb0165767090f7b3",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "2047c2aa0963bb2872fd722300a15bcb441a4c00",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "7de2d447072be3b1a76793f034432338fc9c494b",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "ab269990ed58143a92a263be1bee626d82ac03da",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "3b20ec8f31e8a6a6782243f473b0abd3463621df",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
},
{
"lessThan": "a2171131ecda1ed61a594a1eb715e75fdad0fef5",
"status": "affected",
"version": "bdabad3e363d825ddf9679dd431cca0b2c30f881",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove\n\nIn qrtr_port_remove(), the socket reference count is decremented via\n__sock_put() before the port is removed from the qrtr_ports XArray and\nbefore the RCU grace period elapses.\n\nThis breaks the fundamental RCU update paradigm. It exposes a race\nwindow where a concurrent RCU reader (such as qrtr_reset_ports() or\nqrtr_port_lookup()) can obtain a pointer to the socket from the XArray,\nand attempt to call sock_hold() on a socket whose reference count has\nalready dropped to zero.\n\nThis exact race condition was hit during syzkaller fuzzing, leading to\nthe following refcount saturation warning and a potential Use-After-Free:\n\n refcount_t: saturated; leaking memory.\n WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0\n Modules linked in: qrtr(+) bochs drm_shmem_helper ...\n Call Trace:\n \u003cTASK\u003e\n qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]\n __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]\n qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]\n kernel_bind+0xe4/0x120 net/socket.c:3592\n qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]\n qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]\n do_one_initcall+0xf5/0x5e0 init/main.c:1283\n ...\n \u003c/TASK\u003e\n\nFix this by deferring the reference count decrement until after the\nxa_erase() and the synchronize_rcu() complete.\n\n(Note: The v1 of this patch incorrectly replaced __sock_put() with\nsock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()\nstill hold a reference to the socket, so freeing the socket memory here\nwould lead to a subsequent UAF in the caller. Thus, the __sock_put() is\nkept, but only repositioned to close the RCU race.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:37:05.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2aa4c12723fe432e623462a3be42a197a128722b"
},
{
"url": "https://git.kernel.org/stable/c/03bfa95e452e2b6ccd76a332060ae4feaf5ad84d"
},
{
"url": "https://git.kernel.org/stable/c/474293d90880622fde9d2430fb0165767090f7b3"
},
{
"url": "https://git.kernel.org/stable/c/2047c2aa0963bb2872fd722300a15bcb441a4c00"
},
{
"url": "https://git.kernel.org/stable/c/7de2d447072be3b1a76793f034432338fc9c494b"
},
{
"url": "https://git.kernel.org/stable/c/ab269990ed58143a92a263be1bee626d82ac03da"
},
{
"url": "https://git.kernel.org/stable/c/3b20ec8f31e8a6a6782243f473b0abd3463621df"
},
{
"url": "https://git.kernel.org/stable/c/a2171131ecda1ed61a594a1eb715e75fdad0fef5"
}
],
"title": "net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52947",
"datePublished": "2026-06-24T16:26:05.062Z",
"dateReserved": "2026-06-09T07:44:35.371Z",
"dateUpdated": "2026-06-28T06:37:05.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52934 (GCVE-0-2026-52934)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
batman-adv: tvlv: reject oversized TVLV packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: tvlv: reject oversized TVLV packets
batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.
The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < c02aa6c0c9d1bea9bb75dea362b75ad225137bae
(git)
Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < 1595628a2f877d052eda18865ccf539392c47c04 (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < 6448a49344e87487b61bd88cb850cd694a0f576d (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < 13493b00dd1e05a705981e052158652ea23eb482 (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < 94db72e9dac202e017ee3db22c59d17e4f3bf171 (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < ede47988ac5687793745b17c1634a496a2299919 (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < 94a3d72cd9b21116d7c6d5bdc57c11401fc28557 (git) Affected: ef26157747d42254453f6b3ac2bd8bd3c53339c3 , < f50487e3566358b2b982b7801945e858c78ad9ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tvlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c02aa6c0c9d1bea9bb75dea362b75ad225137bae",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "1595628a2f877d052eda18865ccf539392c47c04",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "6448a49344e87487b61bd88cb850cd694a0f576d",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "13493b00dd1e05a705981e052158652ea23eb482",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "94db72e9dac202e017ee3db22c59d17e4f3bf171",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "ede47988ac5687793745b17c1634a496a2299919",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "94a3d72cd9b21116d7c6d5bdc57c11401fc28557",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
},
{
"lessThan": "f50487e3566358b2b982b7801945e858c78ad9ab",
"status": "affected",
"version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tvlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tvlv: reject oversized TVLV packets\n\nbatadv_tvlv_container_ogm_append() builds a TVLV packet section from\nthe tvlv.container_list. The total size of this section is computed by\nbatadv_tvlv_container_list_size(), which sums the sizes of all registered\ncontainers.\n\nThe return type and accumulator in batadv_tvlv_container_list_size() were\nu16. If the accumulated size exceeds U16_MAX, the value wraps around,\ncausing the subsequent allocation in batadv_tvlv_container_ogm_append()\nto be undersized. The memcpy-style copy that follows would then write\nbeyond the end of the allocated buffer, corrupting kernel memory.\n\nFix this by widening the return type of batadv_tvlv_container_list_size()\nto size_t. In batadv_tvlv_container_ogm_append(), check the computed length\nagainst U16_MAX before proceeding, and bail out as if the allocation had\nfailed when the limit is exceeded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:55.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae"
},
{
"url": "https://git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04"
},
{
"url": "https://git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d"
},
{
"url": "https://git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482"
},
{
"url": "https://git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171"
},
{
"url": "https://git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919"
},
{
"url": "https://git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557"
},
{
"url": "https://git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab"
}
],
"title": "batman-adv: tvlv: reject oversized TVLV packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52934",
"datePublished": "2026-06-24T07:14:25.321Z",
"dateReserved": "2026-06-09T07:44:35.369Z",
"dateUpdated": "2026-06-28T06:36:55.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53135 (GCVE-0-2026-53135)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.
The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < ee9cfcf77a8e8af637396dc00966df5f701e661c
(git)
Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < b781f90a9528555c709e59789550893581ef0be4 (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < a2de1d71891a038a9346b2c1a72b88c8350f2479 (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < 7fc4fab4acc307ad2903312c195872b2953d32c3 (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < 7ae95c0275c330b5dbae806f8e431720edad776f (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < bb6f705b73b5f191f14ad004e2c8c4b615806187 (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < c90954cdea4d6998ec345de0d840d030c145b89e (git) Affected: c7ba3653e9773256b2b08508a2ed2ca28ea7566b , < adf67034b1f61f7119295208085bfd43f85f56af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee9cfcf77a8e8af637396dc00966df5f701e661c",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "b781f90a9528555c709e59789550893581ef0be4",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "a2de1d71891a038a9346b2c1a72b88c8350f2479",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "7fc4fab4acc307ad2903312c195872b2953d32c3",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "7ae95c0275c330b5dbae806f8e431720edad776f",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "bb6f705b73b5f191f14ad004e2c8c4b615806187",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "c90954cdea4d6998ec345de0d840d030c145b89e",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
},
{
"lessThan": "adf67034b1f61f7119295208085bfd43f85f56af",
"status": "affected",
"version": "c7ba3653e9773256b2b08508a2ed2ca28ea7566b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs\n\n[Why \u0026 How]\ndp_sdp_message_debugfs_write() dereferences connector-\u003ebase.state-\u003ecrtc\nwithout checking for NULL. A connector can be connected but not bound to\nany CRTC (e.g. after hot-plug before the next atomic commit), causing a\nkernel crash when writing to the sdp_message debugfs node.\n\nThe function also ignores the user-provided size argument and always\npasses 36 bytes to copy_from_user(), reading past the user buffer when\nsize \u003c 36.\n\nFix both issues by:\n- Returning -ENODEV when connector-\u003ebase.state or state-\u003ecrtc is NULL\n- Clamping write_size to min(size, sizeof(data))\n\n(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:24.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee9cfcf77a8e8af637396dc00966df5f701e661c"
},
{
"url": "https://git.kernel.org/stable/c/b781f90a9528555c709e59789550893581ef0be4"
},
{
"url": "https://git.kernel.org/stable/c/a2de1d71891a038a9346b2c1a72b88c8350f2479"
},
{
"url": "https://git.kernel.org/stable/c/7fc4fab4acc307ad2903312c195872b2953d32c3"
},
{
"url": "https://git.kernel.org/stable/c/7ae95c0275c330b5dbae806f8e431720edad776f"
},
{
"url": "https://git.kernel.org/stable/c/bb6f705b73b5f191f14ad004e2c8c4b615806187"
},
{
"url": "https://git.kernel.org/stable/c/c90954cdea4d6998ec345de0d840d030c145b89e"
},
{
"url": "https://git.kernel.org/stable/c/adf67034b1f61f7119295208085bfd43f85f56af"
}
],
"title": "drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53135",
"datePublished": "2026-06-25T08:38:24.216Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-25T08:38:24.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53245 (GCVE-0-2026-53245)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.
The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.
Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.
Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.
Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
febf018d22347b5df94066bca05d0c11a84e839d , < ae65714d96f68bb252eb20085320bdaacab36c00
(git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 36d259711872e3b2f6cd76a4d270c21931c0f35f (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < cc98717e591a963a616fdf15ecf48eefaf45d758 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 6d6e42e8e17f18d61327f8653479c5b5e161ae1d (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < fd9c3a47c670bec6b18f44454cea023f93b5adb3 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 42446ca0f3570663e87183c065e0b4def52dfba2 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 6eea6494e542a03cdf755a593b7d74f3f7c260fd (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 7561c7fbc694308da73300f036719e63e42bf0b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae65714d96f68bb252eb20085320bdaacab36c00",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "36d259711872e3b2f6cd76a4d270c21931c0f35f",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "cc98717e591a963a616fdf15ecf48eefaf45d758",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "6d6e42e8e17f18d61327f8653479c5b5e161ae1d",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "fd9c3a47c670bec6b18f44454cea023f93b5adb3",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "42446ca0f3570663e87183c065e0b4def52dfba2",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "6eea6494e542a03cdf755a593b7d74f3f7c260fd",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "7561c7fbc694308da73300f036719e63e42bf0b4",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr\n\nIn mrp_pdu_parse_vecattr(), vector attribute events are encoded three\nper byte and valen tracks the number of events left to process.\n\nThe parser decrements valen after processing the first and second events\nfrom each event byte, but not after processing the third one. When valen\nis exactly a multiple of three, the loop continues after the last valid\nevent and consumes the next byte as a new event byte, applying a\nspurious event to the MRP applicant state.\n\nAdditionally, when valen is zero the parser unconditionally consumes\nattrlen bytes as FirstValue and advances the offset, even though per\nIEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of\nzero and no FirstValue or Vector fields. This corrupts the offset for\nsubsequent PDU parsing.\n\nAlso, when valen exceeds three the loop crosses byte boundaries but\nthe attribute value is not incremented between the last event of one\nbyte and the first event of the next. This causes the first event of\nthe next byte to use the same attribute value as the third event\nrather than the next consecutive value.\n\nDecrement valen after processing the third event, skip FirstValue\nconsumption when valen is zero, and increment the attribute value at\nthe end of each loop iteration."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:39.108Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae65714d96f68bb252eb20085320bdaacab36c00"
},
{
"url": "https://git.kernel.org/stable/c/36d259711872e3b2f6cd76a4d270c21931c0f35f"
},
{
"url": "https://git.kernel.org/stable/c/cc98717e591a963a616fdf15ecf48eefaf45d758"
},
{
"url": "https://git.kernel.org/stable/c/6d6e42e8e17f18d61327f8653479c5b5e161ae1d"
},
{
"url": "https://git.kernel.org/stable/c/fd9c3a47c670bec6b18f44454cea023f93b5adb3"
},
{
"url": "https://git.kernel.org/stable/c/42446ca0f3570663e87183c065e0b4def52dfba2"
},
{
"url": "https://git.kernel.org/stable/c/6eea6494e542a03cdf755a593b7d74f3f7c260fd"
},
{
"url": "https://git.kernel.org/stable/c/7561c7fbc694308da73300f036719e63e42bf0b4"
}
],
"title": "net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53245",
"datePublished": "2026-06-25T08:39:39.108Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-25T08:39:39.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53148 (GCVE-0-2026-53148)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
thunderbolt: Clamp XDomain response data copy to allocation size
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Clamp XDomain response data copy to allocation size
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 0b334279a82d79fb4723bd4f614305de1ab69caa
(git)
Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 6021d39ccd979713b39b980286020d8f9a45efd1 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 5db10c8ad8c09f72c847dfeef3d876098257f505 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 05a43157676c243c248d1c6d9dcecbe6eba2f35d (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < fcbd0cdab92838854a5818be7ed8a097164ef6d5 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 906035d5c3784570191d259cbf9a0ac1617852b5 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 322e93448d908434ae5545660fcbe8f5a7a8e141 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Thunderbolt driver. A malicious peer can exploit this vulnerability by sending a specially crafted response that causes the system to write data beyond an allocated memory buffer. This out-of-bounds write can lead to memory corruption, which may allow an attacker to cause a denial of service or potentially execute arbitrary code."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:33.538Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53148"
},
{
"name": "RHBZ#2492756",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492756"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53148.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: thunderbolt: Clamp XDomain response data copy to allocation size",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b334279a82d79fb4723bd4f614305de1ab69caa",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "6021d39ccd979713b39b980286020d8f9a45efd1",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "5db10c8ad8c09f72c847dfeef3d876098257f505",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "05a43157676c243c248d1c6d9dcecbe6eba2f35d",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "fcbd0cdab92838854a5818be7ed8a097164ef6d5",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "906035d5c3784570191d259cbf9a0ac1617852b5",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "322e93448d908434ae5545660fcbe8f5a7a8e141",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Clamp XDomain response data copy to allocation size\n\ntb_xdp_properties_request() derives the per-packet copy length from\nthe response header without checking that it fits in the previously\nallocated data buffer. A malicious peer can set its length field\nlarger than the declared data_length, causing memcpy to write past\nthe kcalloc allocation.\n\nClamp the per-packet copy length so that the cumulative offset\nnever exceeds data_len."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:34.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b334279a82d79fb4723bd4f614305de1ab69caa"
},
{
"url": "https://git.kernel.org/stable/c/6021d39ccd979713b39b980286020d8f9a45efd1"
},
{
"url": "https://git.kernel.org/stable/c/89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d"
},
{
"url": "https://git.kernel.org/stable/c/5db10c8ad8c09f72c847dfeef3d876098257f505"
},
{
"url": "https://git.kernel.org/stable/c/05a43157676c243c248d1c6d9dcecbe6eba2f35d"
},
{
"url": "https://git.kernel.org/stable/c/fcbd0cdab92838854a5818be7ed8a097164ef6d5"
},
{
"url": "https://git.kernel.org/stable/c/906035d5c3784570191d259cbf9a0ac1617852b5"
},
{
"url": "https://git.kernel.org/stable/c/322e93448d908434ae5545660fcbe8f5a7a8e141"
}
],
"title": "thunderbolt: Clamp XDomain response data copy to allocation size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53148",
"datePublished": "2026-06-25T08:38:34.208Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-30T12:09:33.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53176 (GCVE-0-2026-53176)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-07-03 12:05
VLAI?
EPSS
Title
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Severity ?
9.8 (Critical)
CWE
- CWE-839 - Numeric Range Comparison Without Minimum Check
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b8d26b3be8b33682cf163274ed07479a70554633 , < 75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb
(git)
Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < e8a013c0c3ca2f6708341a56612a3f6d6921620a (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < bd22740d7f14cb1c0289444cfd2c8d2938667c1d (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < c1234229399f4af12c553b1b0ffd978eeba65548 (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47 (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < df422fd273c96c2ee5beb80fc21adc8c70c29260 (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < 1ca40b243277c9e88be5e00bd3e083f71aefb93e (git) Affected: b8d26b3be8b33682cf163274ed07479a70554633 , < 29e7b925ae6df64894e82ab6419994dc25580a8a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Internet Small Computer System Interface (iSCSI) Extensions for Remote Direct Memory Access (RDMA) (iSER) module. A remote attacker can send a specially crafted login request with a payload shorter than expected, leading to an integer underflow. This underflow causes a negative length to be used in a memory copy operation, resulting in an out-of-bounds write that crashes the system. This vulnerability allows an unauthenticated remote attacker to cause a Denial of Service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-839",
"description": "Numeric Range Comparison Without Minimum Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:05:09.409Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53176"
},
{
"name": "RHBZ#2492741",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492741"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53176.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, prevent module ib_isert from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/isert/ib_isert.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "e8a013c0c3ca2f6708341a56612a3f6d6921620a",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "bd22740d7f14cb1c0289444cfd2c8d2938667c1d",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "c1234229399f4af12c553b1b0ffd978eeba65548",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "df422fd273c96c2ee5beb80fc21adc8c70c29260",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "1ca40b243277c9e88be5e00bd3e083f71aefb93e",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
},
{
"lessThan": "29e7b925ae6df64894e82ab6419994dc25580a8a",
"status": "affected",
"version": "b8d26b3be8b33682cf163274ed07479a70554633",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/isert/ib_isert.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN\n\nIn drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()\ncomputes the login request payload length as wc-\u003ebyte_len minus\nISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.\nA remote iSER initiator can post a login Send work request carrying\nfewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows\nand login_req_len becomes negative.\n\nisert_rx_login_req() then reads that negative length back into a signed\nint, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the\nmin() is signed it keeps the negative value; the value is then passed as\nthe memcpy() length and sign-extended to a multi-gigabyte size_t. The\ncopy into the 8192-byte login-\u003ereq_buf runs far out of bounds and\nfaults, crashing the target node. The login phase precedes iSCSI\nauthentication, so no credentials are required to reach this path.\n\nReject any login PDU shorter than ISER_HEADERS_LEN before the\nsubtraction, mirroring the existing early return on a failed work\ncompletion, so login_req_len can never go negative. The upper bound was\nalready safe: a posted login buffer cannot deliver more than\nISER_RX_PAYLOAD_SIZE, so the difference stays at or below\nMAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing\nlower bound needs to be added."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:50.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb"
},
{
"url": "https://git.kernel.org/stable/c/e8a013c0c3ca2f6708341a56612a3f6d6921620a"
},
{
"url": "https://git.kernel.org/stable/c/bd22740d7f14cb1c0289444cfd2c8d2938667c1d"
},
{
"url": "https://git.kernel.org/stable/c/c1234229399f4af12c553b1b0ffd978eeba65548"
},
{
"url": "https://git.kernel.org/stable/c/c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47"
},
{
"url": "https://git.kernel.org/stable/c/df422fd273c96c2ee5beb80fc21adc8c70c29260"
},
{
"url": "https://git.kernel.org/stable/c/1ca40b243277c9e88be5e00bd3e083f71aefb93e"
},
{
"url": "https://git.kernel.org/stable/c/29e7b925ae6df64894e82ab6419994dc25580a8a"
}
],
"title": "IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53176",
"datePublished": "2026-06-25T08:38:52.693Z",
"dateReserved": "2026-06-09T07:44:35.389Z",
"dateUpdated": "2026-07-03T12:05:09.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53207 (GCVE-0-2026-53207)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
when racing with a concurrent unmap:
thread#0 thread#1
-------- --------
madvise(folio, MADV_HWPOISON)
-> poisons the folio successfully
madvise(folio, MADV_HWPOISON) unmap(folio)
try_memory_failure_hugetlb
get_huge_page_for_hwpoison
spin_lock_irq(&hugetlb_lock) <- held
__get_huge_page_for_hwpoison
hugetlb_update_hwpoison()
-> MF_HUGETLB_FOLIO_PRE_POISONED
goto out:
folio_put()
refcount: 1 -> 0
free_huge_folio()
spin_lock_irqsave(&hugetlb_lock)
-> AA DEADLOCK!
The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
the GUP reference while the hugetlb_lock is still held by the hugetlb.c
wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released
the page table mapping reference, folio_put() drops the folio refcount to
zero, triggering free_huge_folio() which attempts to re-acquire the
non-recursive hugetlb_lock.
Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the
folio_put() at the out: label so the folio is always released outside the
lock.
[akpm@linux-foundation.org: fix race, rename label per Miaohe]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
405ce051236cc65b30bbfe490b28ce60ae6aed85 , < fc3ff42cb0cbf947e4600ae9761c3783760050e2
(git)
Affected: 405ce051236cc65b30bbfe490b28ce60ae6aed85 , < 77b73b54801ae7137479c141fd0473a491c1dc48 (git) Affected: 405ce051236cc65b30bbfe490b28ce60ae6aed85 , < a33bfed648c10f5a1519981dbfad80841191edc8 (git) Affected: 405ce051236cc65b30bbfe490b28ce60ae6aed85 , < dd77a83915b07e2b0205adb284f08b39ae31dc4b (git) Affected: 405ce051236cc65b30bbfe490b28ce60ae6aed85 , < bf7ba8f96c258c30393814491930ae4ecdc5fe5e (git) Affected: 405ce051236cc65b30bbfe490b28ce60ae6aed85 , < 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e (git) Affected: 62d1655b922958826b7ec22682c3141746f75064 (git) Affected: 5.15.54 , < 5.16 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h",
"include/linux/mm.h",
"mm/hugetlb.c",
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc3ff42cb0cbf947e4600ae9761c3783760050e2",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"lessThan": "77b73b54801ae7137479c141fd0473a491c1dc48",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"lessThan": "a33bfed648c10f5a1519981dbfad80841191edc8",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"lessThan": "dd77a83915b07e2b0205adb284f08b39ae31dc4b",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"lessThan": "bf7ba8f96c258c30393814491930ae4ecdc5fe5e",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"lessThan": "3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e",
"status": "affected",
"version": "405ce051236cc65b30bbfe490b28ce60ae6aed85",
"versionType": "git"
},
{
"status": "affected",
"version": "62d1655b922958826b7ec22682c3141746f75064",
"versionType": "git"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.54",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h",
"include/linux/mm.h",
"mm/hugetlb.c",
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison\n\nTwo concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can\ntrigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock\nwhen racing with a concurrent unmap:\n\n thread#0 thread#1\n -------- --------\n madvise(folio, MADV_HWPOISON)\n -\u003e poisons the folio successfully\n madvise(folio, MADV_HWPOISON) unmap(folio)\n try_memory_failure_hugetlb\n get_huge_page_for_hwpoison\n spin_lock_irq(\u0026hugetlb_lock) \u003c- held\n __get_huge_page_for_hwpoison\n hugetlb_update_hwpoison()\n -\u003e MF_HUGETLB_FOLIO_PRE_POISONED\n goto out:\n folio_put()\n refcount: 1 -\u003e 0\n free_huge_folio()\n spin_lock_irqsave(\u0026hugetlb_lock)\n -\u003e AA DEADLOCK!\n\nThe out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop\nthe GUP reference while the hugetlb_lock is still held by the hugetlb.c\nwrapper get_huge_page_for_hwpoison(). If concurrent unmap has released\nthe page table mapping reference, folio_put() drops the folio refcount to\nzero, triggering free_huge_folio() which attempts to re-acquire the\nnon-recursive hugetlb_lock.\n\nFix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper\ninto get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the\nfolio_put() at the out: label so the folio is always released outside the\nlock.\n\n[akpm@linux-foundation.org: fix race, rename label per Miaohe]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:13.592Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc3ff42cb0cbf947e4600ae9761c3783760050e2"
},
{
"url": "https://git.kernel.org/stable/c/77b73b54801ae7137479c141fd0473a491c1dc48"
},
{
"url": "https://git.kernel.org/stable/c/a33bfed648c10f5a1519981dbfad80841191edc8"
},
{
"url": "https://git.kernel.org/stable/c/dd77a83915b07e2b0205adb284f08b39ae31dc4b"
},
{
"url": "https://git.kernel.org/stable/c/bf7ba8f96c258c30393814491930ae4ecdc5fe5e"
},
{
"url": "https://git.kernel.org/stable/c/3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e"
}
],
"title": "mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53207",
"datePublished": "2026-06-25T08:39:13.592Z",
"dateReserved": "2026-06-09T07:44:35.391Z",
"dateUpdated": "2026-06-25T08:39:13.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52926 (GCVE-0-2026-52926)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
batman-adv: clear current gateway during teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: clear current gateway during teardown
batadv_gw_node_free() removes the gateway list entries during mesh teardown,
but it does not clear the currently selected gateway. This leaves stale
gateway state behind across cleanup and can break a later mesh recreation.
Clear bat_priv->gw.curr_gw before walking the gateway list so the selected
gateway reference is dropped as part of teardown.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < a3f3f1ec8aad84c5dd386c430b9c61cddd85b18f
(git)
Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < e2ec4c712d19141ca7bf7fbbb1d842f73abaa186 (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < 9a1a8ed4facfe843bde6fdfcf7af0e9923eb2e17 (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < 6de089b545db013433cf934bb4e4433dec2dd65f (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < 30bda3ef4b0cac777f1a7c314cd08b8ff6437365 (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < ae7aeb0ce3c0ebbe357ed525779acac197a18086 (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < 17e3a441111cd1a530cd6ee69a22f3161d80d810 (git) Affected: 2265c141086474bbae55a5bb3afa1ebb78ccaa7c , < a340a51ed801eab7bb454150c226323b865263cc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/gateway_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3f3f1ec8aad84c5dd386c430b9c61cddd85b18f",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "e2ec4c712d19141ca7bf7fbbb1d842f73abaa186",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "9a1a8ed4facfe843bde6fdfcf7af0e9923eb2e17",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "6de089b545db013433cf934bb4e4433dec2dd65f",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "30bda3ef4b0cac777f1a7c314cd08b8ff6437365",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "ae7aeb0ce3c0ebbe357ed525779acac197a18086",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "17e3a441111cd1a530cd6ee69a22f3161d80d810",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
},
{
"lessThan": "a340a51ed801eab7bb454150c226323b865263cc",
"status": "affected",
"version": "2265c141086474bbae55a5bb3afa1ebb78ccaa7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/gateway_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: clear current gateway during teardown\n\nbatadv_gw_node_free() removes the gateway list entries during mesh teardown,\nbut it does not clear the currently selected gateway. This leaves stale\ngateway state behind across cleanup and can break a later mesh recreation.\n\nClear bat_priv-\u003egw.curr_gw before walking the gateway list so the selected\ngateway reference is dropped as part of teardown."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:20.057Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3f3f1ec8aad84c5dd386c430b9c61cddd85b18f"
},
{
"url": "https://git.kernel.org/stable/c/e2ec4c712d19141ca7bf7fbbb1d842f73abaa186"
},
{
"url": "https://git.kernel.org/stable/c/9a1a8ed4facfe843bde6fdfcf7af0e9923eb2e17"
},
{
"url": "https://git.kernel.org/stable/c/6de089b545db013433cf934bb4e4433dec2dd65f"
},
{
"url": "https://git.kernel.org/stable/c/30bda3ef4b0cac777f1a7c314cd08b8ff6437365"
},
{
"url": "https://git.kernel.org/stable/c/ae7aeb0ce3c0ebbe357ed525779acac197a18086"
},
{
"url": "https://git.kernel.org/stable/c/17e3a441111cd1a530cd6ee69a22f3161d80d810"
},
{
"url": "https://git.kernel.org/stable/c/a340a51ed801eab7bb454150c226323b865263cc"
}
],
"title": "batman-adv: clear current gateway during teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52926",
"datePublished": "2026-06-24T07:14:20.057Z",
"dateReserved": "2026-06-09T07:44:35.368Z",
"dateUpdated": "2026-06-24T07:14:20.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53177 (GCVE-0-2026-53177)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
bnxt_en: Fix NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix NULL pointer dereference
PCIe errors detected by a Root Port or Downstream Port cause error
recovery services to run on all subordinate devices regardless of
administrative state.
The .error_detected() callback, bnxt_io_error_detected(), disables
and synchronizes IRQs via bnxt_disable_int_sync(), which calls
bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
bp->bnapi.
Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
error recovery on a closed NIC can dereference a NULL pointer.
Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e5811b8c09df9bc80eabc95339fceded23f16289 , < 964b1c3eb71afe58bb61c8b984164447e000ae8a
(git)
Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < 59c5a3e69c7630a811565937e64be70b08436761 (git) Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < 1a418ad0e5e525d1d117dd1601681f75455af320 (git) Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < 08e57d014ea19f303d5d57a849beb846f37788b7 (git) Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < 3884976f87448e269908ae61bd5d62d54ce9c0c7 (git) Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < 580844a9683afe7974856dd5b7886447435b3474 (git) Affected: e5811b8c09df9bc80eabc95339fceded23f16289 , < d930276f2cddd0b7294cac7a8fe7b877f6d9e08d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "964b1c3eb71afe58bb61c8b984164447e000ae8a",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "59c5a3e69c7630a811565937e64be70b08436761",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "1a418ad0e5e525d1d117dd1601681f75455af320",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "08e57d014ea19f303d5d57a849beb846f37788b7",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "3884976f87448e269908ae61bd5d62d54ce9c0c7",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "580844a9683afe7974856dd5b7886447435b3474",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
},
{
"lessThan": "d930276f2cddd0b7294cac7a8fe7b877f6d9e08d",
"status": "affected",
"version": "e5811b8c09df9bc80eabc95339fceded23f16289",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix NULL pointer dereference\n\nPCIe errors detected by a Root Port or Downstream Port cause error\nrecovery services to run on all subordinate devices regardless of\nadministrative state.\n\nThe .error_detected() callback, bnxt_io_error_detected(), disables\nand synchronizes IRQs via bnxt_disable_int_sync(), which calls\nbnxt_cp_num_to_irq_num() to map completion rings to IRQs using\nbp-\u003ebnapi.\n\nSince bp-\u003ebnapi is allocated on NIC open and freed on NIC close, PCIe\nerror recovery on a closed NIC can dereference a NULL pointer.\n\nCheck if bp-\u003ebnapi is NULL before disabling and synchronizing IRQs."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:53.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/964b1c3eb71afe58bb61c8b984164447e000ae8a"
},
{
"url": "https://git.kernel.org/stable/c/59c5a3e69c7630a811565937e64be70b08436761"
},
{
"url": "https://git.kernel.org/stable/c/1a418ad0e5e525d1d117dd1601681f75455af320"
},
{
"url": "https://git.kernel.org/stable/c/08e57d014ea19f303d5d57a849beb846f37788b7"
},
{
"url": "https://git.kernel.org/stable/c/3884976f87448e269908ae61bd5d62d54ce9c0c7"
},
{
"url": "https://git.kernel.org/stable/c/580844a9683afe7974856dd5b7886447435b3474"
},
{
"url": "https://git.kernel.org/stable/c/d930276f2cddd0b7294cac7a8fe7b877f6d9e08d"
}
],
"title": "bnxt_en: Fix NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53177",
"datePublished": "2026-06-25T08:38:53.347Z",
"dateReserved": "2026-06-09T07:44:35.389Z",
"dateUpdated": "2026-06-25T08:38:53.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52942 (GCVE-0-2026-52942)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:37
VLAI?
EPSS
Title
netfilter: nf_log: validate MAC header was set before dumping it
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_log: validate MAC header was set before dumping it
The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.
This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).
Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.
BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < d704ee9c7bc68a161684c51a7ac05b446dcf38d4
(git)
Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < befb8968a2abdfa948d5600ea7f7a509a292a590 (git) Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < 8a81e336da685423f5b64aac4d571e63d674c52a (git) Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < c38d41134085193efd5b237cf513ad5b3421a60d (git) Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < af1b7699466f6556b351fa25d3dc870abfb5d310 (git) Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < 65ef7397eb9a296e91839f5fd10be96f23d332e7 (git) Affected: 7eb9282cd0efac08b8377cbd5037ba297c77e3f7 , < a84b6fedbc97078788be78dbdd7517d143ad1a77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_log_syslog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d704ee9c7bc68a161684c51a7ac05b446dcf38d4",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "befb8968a2abdfa948d5600ea7f7a509a292a590",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "8a81e336da685423f5b64aac4d571e63d674c52a",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "c38d41134085193efd5b237cf513ad5b3421a60d",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "af1b7699466f6556b351fa25d3dc870abfb5d310",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "65ef7397eb9a296e91839f5fd10be96f23d332e7",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
},
{
"lessThan": "a84b6fedbc97078788be78dbdd7517d143ad1a77",
"status": "affected",
"version": "7eb9282cd0efac08b8377cbd5037ba297c77e3f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_log_syslog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_log: validate MAC header was set before dumping it\n\nThe fallback path of dump_mac_header() guards the MAC header access\nonly with \"skb-\u003emac_header != skb-\u003enetwork_header\", without checking\nskb_mac_header_was_set(). When the MAC header is unset, mac_header is\n0xffff, so the test passes and skb_mac_header(skb) returns\nskb-\u003ehead + 0xffff, ~64 KiB past the buffer; the loop then reads\ndev-\u003ehard_header_len bytes out of bounds into the kernel log.\n\nThis is reachable via the netdev logger: nf_log_unknown_packet() calls\ndump_mac_header() unconditionally, and an skb sent through AF_PACKET\nwith PACKET_QDISC_BYPASS reaches the egress hook with mac_header still\nunset (__dev_queue_xmit(), which would reset it, is bypassed).\n\nAdd the skb_mac_header_was_set() check the ARPHRD_ETHER path already\nuses, and replace the open-coded MAC header length test with\nskb_mac_header_len(). Only skbs with an unset MAC header are affected;\nvalid ones are dumped as before.\n\n BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n Read of size 1 at addr ffff88800ea49d3f by task exploit/148\n Call Trace:\n kasan_report (mm/kasan/report.c:595)\n dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)\n nf_log_packet (net/netfilter/nf_log.c:260)\n nft_log_eval (net/netfilter/nft_log.c:60)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)\n nf_hook_slow (net/netfilter/core.c:619)\n nf_hook_direct_egress (net/packet/af_packet.c:257)\n packet_xmit (net/packet/af_packet.c:280)\n packet_sendmsg (net/packet/af_packet.c:3114)\n __sys_sendto (net/socket.c:2265)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:37:00.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d704ee9c7bc68a161684c51a7ac05b446dcf38d4"
},
{
"url": "https://git.kernel.org/stable/c/befb8968a2abdfa948d5600ea7f7a509a292a590"
},
{
"url": "https://git.kernel.org/stable/c/8a81e336da685423f5b64aac4d571e63d674c52a"
},
{
"url": "https://git.kernel.org/stable/c/c38d41134085193efd5b237cf513ad5b3421a60d"
},
{
"url": "https://git.kernel.org/stable/c/af1b7699466f6556b351fa25d3dc870abfb5d310"
},
{
"url": "https://git.kernel.org/stable/c/65ef7397eb9a296e91839f5fd10be96f23d332e7"
},
{
"url": "https://git.kernel.org/stable/c/a84b6fedbc97078788be78dbdd7517d143ad1a77"
}
],
"title": "netfilter: nf_log: validate MAC header was set before dumping it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52942",
"datePublished": "2026-06-24T07:14:30.610Z",
"dateReserved": "2026-06-09T07:44:35.370Z",
"dateUpdated": "2026-06-28T06:37:00.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53160 (GCVE-0-2026-53160)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
misc: fastrpc: fix use-after-free race in fastrpc_map_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free race in fastrpc_map_create
fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
on this unprotected pointer. A concurrent MEM_UNMAP can free the map
between the lock release and the kref operation, resulting in a
use-after-free on the freed slab object.
Restore the take_ref parameter to fastrpc_map_lookup so the reference
is acquired atomically under fl->lock before the pointer is exposed to
the caller.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b70ec82b309a4093106ff399da1911ad23b52d3 , < 0a3b87293fbd34fda651e6aead9964f84b893962
(git)
Affected: d7513b47082c08105e837b06cebeb3f07a5fa56f , < 8b080c89183196fd3e49212f2a1a1c4a29335b9c (git) Affected: 802359a52676176b18713e33caa17572ad009057 , < 5b0166112019d1dce30b976ab28fd67f7f0be532 (git) Affected: 10df039834f84a297c72ec962c0f9b7c8c5ca31a , < 992f121796b7ca83a5a8b93da24e971363206218 (git) Affected: 10df039834f84a297c72ec962c0f9b7c8c5ca31a , < f20f6512ecb75c816e0debf4551a138f098615c4 (git) Affected: 10df039834f84a297c72ec962c0f9b7c8c5ca31a , < 07ebe87915d8accdaba20c4f88c5ae430fe62fbb (git) Affected: f3f59bab68e9bc714f757ab22f3fb36153014043 (git) Affected: 6.1.156 , < 6.1.176 (semver) Affected: 6.6.112 , < 6.6.143 (semver) Affected: 6.12.53 , < 6.12.94 (semver) Affected: 6.17.3 , < 6.18 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a3b87293fbd34fda651e6aead9964f84b893962",
"status": "affected",
"version": "0b70ec82b309a4093106ff399da1911ad23b52d3",
"versionType": "git"
},
{
"lessThan": "8b080c89183196fd3e49212f2a1a1c4a29335b9c",
"status": "affected",
"version": "d7513b47082c08105e837b06cebeb3f07a5fa56f",
"versionType": "git"
},
{
"lessThan": "5b0166112019d1dce30b976ab28fd67f7f0be532",
"status": "affected",
"version": "802359a52676176b18713e33caa17572ad009057",
"versionType": "git"
},
{
"lessThan": "992f121796b7ca83a5a8b93da24e971363206218",
"status": "affected",
"version": "10df039834f84a297c72ec962c0f9b7c8c5ca31a",
"versionType": "git"
},
{
"lessThan": "f20f6512ecb75c816e0debf4551a138f098615c4",
"status": "affected",
"version": "10df039834f84a297c72ec962c0f9b7c8c5ca31a",
"versionType": "git"
},
{
"lessThan": "07ebe87915d8accdaba20c4f88c5ae430fe62fbb",
"status": "affected",
"version": "10df039834f84a297c72ec962c0f9b7c8c5ca31a",
"versionType": "git"
},
{
"status": "affected",
"version": "f3f59bab68e9bc714f757ab22f3fb36153014043",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix use-after-free race in fastrpc_map_create\n\nfastrpc_map_lookup returns a raw pointer after releasing fl-\u003elock. The\ncaller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)\non this unprotected pointer. A concurrent MEM_UNMAP can free the map\nbetween the lock release and the kref operation, resulting in a\nuse-after-free on the freed slab object.\n\nRestore the take_ref parameter to fastrpc_map_lookup so the reference\nis acquired atomically under fl-\u003elock before the pointer is exposed to\nthe caller."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:36.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a3b87293fbd34fda651e6aead9964f84b893962"
},
{
"url": "https://git.kernel.org/stable/c/8b080c89183196fd3e49212f2a1a1c4a29335b9c"
},
{
"url": "https://git.kernel.org/stable/c/5b0166112019d1dce30b976ab28fd67f7f0be532"
},
{
"url": "https://git.kernel.org/stable/c/992f121796b7ca83a5a8b93da24e971363206218"
},
{
"url": "https://git.kernel.org/stable/c/f20f6512ecb75c816e0debf4551a138f098615c4"
},
{
"url": "https://git.kernel.org/stable/c/07ebe87915d8accdaba20c4f88c5ae430fe62fbb"
}
],
"title": "misc: fastrpc: fix use-after-free race in fastrpc_map_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53160",
"datePublished": "2026-06-25T08:38:42.138Z",
"dateReserved": "2026-06-09T07:44:35.388Z",
"dateUpdated": "2026-06-28T06:39:36.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52921 (GCVE-0-2026-52921)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
netfilter: ipset: stop hash:* range iteration at end
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: stop hash:* range iteration at end
The following hash set variants:
hash:ip,mark
hash:ip,port
hash:ip,port,ip
hash:ip,port,net
iterate IPv4 ranges with a 32-bit iterator.
The iterator must stop once the last address in the requested range has
been processed. Advancing it once more can move the traversal state past
the end of the request, so a later retry may continue from an unintended
position.
Handle the iterator increment explicitly at the end of the loop and stop
once the upper bound has been processed. This keeps the existing retry
behaviour intact for valid ranges while preventing traversal from
continuing past the original boundary.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < be75218fadea22e59c8673db212f29c681bf45bb
(git)
Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 383418c20e69f5761b6ec5238f599423f4fb77fb (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 0d7b33ace701fe397e6e4de145f32e098178d901 (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < c281e018af98df91827d65bec00f4956c00a1b02 (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 02f75f041a93ea045834da89cd3234f4c1d749b4 (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 952e988163c2ab9939c3db9f0f8e77af6a1bb436 (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 0b530efb2cc9dbdddfd49d392e3a857f0d4ce8dc (git) Affected: 48596a8ddc46f96afb6a2cd72787cb15d6bb01fc , < 0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_ipmark.c",
"net/netfilter/ipset/ip_set_hash_ipport.c",
"net/netfilter/ipset/ip_set_hash_ipportip.c",
"net/netfilter/ipset/ip_set_hash_ipportnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be75218fadea22e59c8673db212f29c681bf45bb",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "383418c20e69f5761b6ec5238f599423f4fb77fb",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "0d7b33ace701fe397e6e4de145f32e098178d901",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "c281e018af98df91827d65bec00f4956c00a1b02",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "02f75f041a93ea045834da89cd3234f4c1d749b4",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "952e988163c2ab9939c3db9f0f8e77af6a1bb436",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "0b530efb2cc9dbdddfd49d392e3a857f0d4ce8dc",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
},
{
"lessThan": "0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6",
"status": "affected",
"version": "48596a8ddc46f96afb6a2cd72787cb15d6bb01fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_ipmark.c",
"net/netfilter/ipset/ip_set_hash_ipport.c",
"net/netfilter/ipset/ip_set_hash_ipportip.c",
"net/netfilter/ipset/ip_set_hash_ipportnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: stop hash:* range iteration at end\n\nThe following hash set variants:\n\nhash:ip,mark\nhash:ip,port\nhash:ip,port,ip\nhash:ip,port,net\n\niterate IPv4 ranges with a 32-bit iterator.\n\nThe iterator must stop once the last address in the requested range has\nbeen processed. Advancing it once more can move the traversal state past\nthe end of the request, so a later retry may continue from an unintended\nposition.\n\nHandle the iterator increment explicitly at the end of the loop and stop\nonce the upper bound has been processed. This keeps the existing retry\nbehaviour intact for valid ranges while preventing traversal from\ncontinuing past the original boundary."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:16.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be75218fadea22e59c8673db212f29c681bf45bb"
},
{
"url": "https://git.kernel.org/stable/c/383418c20e69f5761b6ec5238f599423f4fb77fb"
},
{
"url": "https://git.kernel.org/stable/c/0d7b33ace701fe397e6e4de145f32e098178d901"
},
{
"url": "https://git.kernel.org/stable/c/c281e018af98df91827d65bec00f4956c00a1b02"
},
{
"url": "https://git.kernel.org/stable/c/02f75f041a93ea045834da89cd3234f4c1d749b4"
},
{
"url": "https://git.kernel.org/stable/c/952e988163c2ab9939c3db9f0f8e77af6a1bb436"
},
{
"url": "https://git.kernel.org/stable/c/0b530efb2cc9dbdddfd49d392e3a857f0d4ce8dc"
},
{
"url": "https://git.kernel.org/stable/c/0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6"
}
],
"title": "netfilter: ipset: stop hash:* range iteration at end",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52921",
"datePublished": "2026-06-24T07:14:16.533Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-24T07:14:16.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53239 (GCVE-0-2026-53239)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6be3b0db6db82cf056a72cc18042048edd27f8ee , < 8fc536e9f6856230f19c7d13e71af064b6a77b22
(git)
Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < c4c1ea36d83bf3c4569468ca5b8b614fda1bf821 (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < 25c8c7fb3b0b9668c7d05e209f58c158d2b020c7 (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < 42827d03f8009a6a218bacab153e21f39d6a121c (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < 88697cf980222d5906a37bf47662dac0732e2a0f (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < b5316e2b8614a87d8736941972441cb47bfd4491 (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < ec82ea4eb220164d854f8734ca5a35e23e577b94 (git) Affected: 6be3b0db6db82cf056a72cc18042048edd27f8ee , < 7f2d76c9c03257c0782afef9d95321fa04096f60 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fc536e9f6856230f19c7d13e71af064b6a77b22",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "c4c1ea36d83bf3c4569468ca5b8b614fda1bf821",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "25c8c7fb3b0b9668c7d05e209f58c158d2b020c7",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "42827d03f8009a6a218bacab153e21f39d6a121c",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "88697cf980222d5906a37bf47662dac0732e2a0f",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "b5316e2b8614a87d8736941972441cb47bfd4491",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "ec82ea4eb220164d854f8734ca5a35e23e577b94",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
},
{
"lessThan": "7f2d76c9c03257c0782afef9d95321fa04096f60",
"status": "affected",
"version": "6be3b0db6db82cf056a72cc18042048edd27f8ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()\n\nFix the race by pruning the bin while still holding xfrm_policy_lock,\nbefore dropping it. Use __xfrm_policy_inexact_prune_bin() directly since\nthe lock is already held. The wrapper xfrm_policy_inexact_prune_bin()\nbecomes unused and is removed.\n\nRace:\n\n CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)\n ========================== ==========================\n xfrm_policy_bysel_ctx():\n spin_lock_bh(xfrm_policy_lock)\n bin = xfrm_policy_inexact_lookup()\n __xfrm_policy_unlink(pol)\n spin_unlock_bh(xfrm_policy_lock)\n xfrm_policy_kill(ret)\n // wide window, lock not held\n xfrm_hash_rebuild():\n spin_lock_bh(xfrm_policy_lock)\n __xfrm_policy_inexact_flush():\n kfree_rcu(bin) // bin freed\n spin_unlock_bh(xfrm_policy_lock)\n xfrm_policy_inexact_prune_bin(bin)\n // UAF: bin is freed"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:46.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fc536e9f6856230f19c7d13e71af064b6a77b22"
},
{
"url": "https://git.kernel.org/stable/c/c4c1ea36d83bf3c4569468ca5b8b614fda1bf821"
},
{
"url": "https://git.kernel.org/stable/c/25c8c7fb3b0b9668c7d05e209f58c158d2b020c7"
},
{
"url": "https://git.kernel.org/stable/c/42827d03f8009a6a218bacab153e21f39d6a121c"
},
{
"url": "https://git.kernel.org/stable/c/88697cf980222d5906a37bf47662dac0732e2a0f"
},
{
"url": "https://git.kernel.org/stable/c/b5316e2b8614a87d8736941972441cb47bfd4491"
},
{
"url": "https://git.kernel.org/stable/c/ec82ea4eb220164d854f8734ca5a35e23e577b94"
},
{
"url": "https://git.kernel.org/stable/c/7f2d76c9c03257c0782afef9d95321fa04096f60"
}
],
"title": "xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53239",
"datePublished": "2026-06-25T08:39:35.149Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-28T06:40:46.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53161 (GCVE-0-2026-53161)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:
1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().
2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.
3. fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6cffd79504ce040f460831030d3069fa1c99bb71 , < c6e5c2be09f814377d7f1ce97370a5b7b3e02814
(git)
Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < e1e3a05efe5954d5bad01157d79429d39a67a7ae (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < d42679eef34dd590b694ce3b666c5e2ba10cd4bf (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < df08fadcf0e5f3708365ec3b6d30b5aafd98bea1 (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < ecea4967c2bff92c2fafbc59893f711b39f7b152 (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < 5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < fbe0947420eec18a84638d29468c2d563ce4e6a3 (git) Affected: 6cffd79504ce040f460831030d3069fa1c99bb71 , < e85eb5feca8e254905ffa6c57a3c99c89a674a0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6e5c2be09f814377d7f1ce97370a5b7b3e02814",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "e1e3a05efe5954d5bad01157d79429d39a67a7ae",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "d42679eef34dd590b694ce3b666c5e2ba10cd4bf",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "df08fadcf0e5f3708365ec3b6d30b5aafd98bea1",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "ecea4967c2bff92c2fafbc59893f711b39f7b152",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "fbe0947420eec18a84638d29468c2d563ce4e6a3",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
},
{
"lessThan": "e85eb5feca8e254905ffa6c57a3c99c89a674a0f",
"status": "affected",
"version": "6cffd79504ce040f460831030d3069fa1c99bb71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix use-after-free of fastrpc_user in workqueue context\n\nThere is a race between fastrpc_device_release() and the workqueue\nthat processes DSP responses. When the user closes the file descriptor,\nfastrpc_device_release() frees the fastrpc_user structure. Concurrently,\nan in-flight DSP invocation can complete and fastrpc_rpmsg_callback()\nschedules context cleanup via schedule_work(\u0026ctx-\u003eput_work). If the\nworkqueue runs fastrpc_context_free() in parallel with or after\nfastrpc_device_release() has freed the user structure, it dereferences\nthe freed fastrpc_user. Depending on the state of the context at the\ntime of the race, any one of the following accesses can be hit:\n\n 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf-\u003efl-\u003ecctx, ...)\n to strip the SID bits from the stored IOVA before passing the\n physical address to dma_free_coherent().\n\n 2. fastrpc_free_map() reads map-\u003efl-\u003ecctx-\u003evmperms[0].vmid to\n reconstruct the source permission bitmask needed for the\n qcom_scm_assign_mem() call that returns memory from the DSP VM\n back to HLOS.\n\n 3. fastrpc_free_map() acquires map-\u003efl-\u003elock to safely remove the\n map node from the fl-\u003emaps list.\n\nThe resulting use-after-free manifests as:\n\n pc : fastrpc_buf_free+0x38/0x80 [fastrpc]\n lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n fastrpc_context_put_wq+0x78/0xa0 [fastrpc]\n process_one_work+0x180/0x450\n worker_thread+0x26c/0x388\n\nAdd kref-based reference counting to fastrpc_user. Have each invoke\ncontext take a reference on the user at allocation time and release it\nwhen the context is freed. Release the initial reference in\nfastrpc_device_release() at file close. Move the teardown of the user\nstructure \u2014 freeing pending contexts, maps, mmaps, and the channel\ncontext reference \u2014 into the kref release callback fastrpc_user_free(),\nso that it runs only when the last reference is dropped, regardless of\nwhether that happens at device close or after the final in-flight\ncontext completes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:37.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6e5c2be09f814377d7f1ce97370a5b7b3e02814"
},
{
"url": "https://git.kernel.org/stable/c/e1e3a05efe5954d5bad01157d79429d39a67a7ae"
},
{
"url": "https://git.kernel.org/stable/c/d42679eef34dd590b694ce3b666c5e2ba10cd4bf"
},
{
"url": "https://git.kernel.org/stable/c/df08fadcf0e5f3708365ec3b6d30b5aafd98bea1"
},
{
"url": "https://git.kernel.org/stable/c/ecea4967c2bff92c2fafbc59893f711b39f7b152"
},
{
"url": "https://git.kernel.org/stable/c/5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c"
},
{
"url": "https://git.kernel.org/stable/c/fbe0947420eec18a84638d29468c2d563ce4e6a3"
},
{
"url": "https://git.kernel.org/stable/c/e85eb5feca8e254905ffa6c57a3c99c89a674a0f"
}
],
"title": "misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53161",
"datePublished": "2026-06-25T08:38:42.789Z",
"dateReserved": "2026-06-09T07:44:35.388Z",
"dateUpdated": "2026-06-28T06:39:37.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9675 (GCVE-0-2026-9675)
Vulnerability from cvelistv5 – Published: 2026-06-17 16:20 – Updated: 2026-06-17 17:29
VLAI?
EPSS
Title
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Summary
Impact:
The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.
Patches:
Upgrade to undici >= 8.5.0.
Workarounds:
No workaround is available. The fix must be applied through an upgrade.
Severity ?
7.5 (High)
CWE
Assigner
References
Impacted products
Credits
mauriceng98
Str1ckl4nd
mcollina
UlisesGascon
lzhou1110
Zyy0530
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T17:29:24.751635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T17:29:42.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/undici",
"product": "undici",
"vendor": "undici",
"versions": [
{
"lessThan": "8.5.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mauriceng98"
},
{
"lang": "en",
"type": "finder",
"value": "Str1ckl4nd"
},
{
"lang": "en",
"type": "remediation developer",
"value": "mcollina"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "UlisesGascon"
},
{
"lang": "en",
"type": "finder",
"value": "lzhou1110"
},
{
"lang": "en",
"type": "finder",
"value": "Zyy0530"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nThis is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.\n\nPatches:\nUpgrade to undici \u003e= 8.5.0.\n\nWorkarounds:\nNo workaround is available. The fix must be applied through an upgrade."
}
],
"value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nThis is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.\n\nPatches:\nUpgrade to undici \u003e= 8.5.0.\n\nWorkarounds:\nNo workaround is available. The fix must be applied through an upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T16:20:32.548Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "undici WebSocket client vulnerable to denial of service via cumulative fragment bypass",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-9675",
"datePublished": "2026-06-17T16:20:32.548Z",
"dateReserved": "2026-05-27T07:10:38.904Z",
"dateUpdated": "2026-06-17T17:29:42.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9697 (GCVE-0-2026-9697)
Vulnerability from cvelistv5 – Published: 2026-06-17 16:46 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Summary
Impact:
undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.
Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.
Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.
Patches:
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds:
No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
Credits
tonghuaroot
UlisesGascon
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T03:56:05.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T16:46:42.706Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in undici. When undici\u0027s ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js\u0027s default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:20.232Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"name": "RHBZ#2490018",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9697.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34342"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22380"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22934"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0"
},
{
"lang": "en",
"value": "RHSA-2026:7378: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22380: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22934: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T19:03:30.813Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T16:46:42.706Z",
"value": "Made public."
}
],
"title": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/undici",
"product": "undici",
"vendor": "undici",
"versions": [
{
"lessThan": "7.28.0",
"status": "affected",
"version": "7.23.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.28.0",
"versionType": "semver"
},
{
"lessThan": "8.5.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "tonghuaroot"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "UlisesGascon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact:\nundici\u0027s ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node\u0027s default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici\u0027s ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly."
}
],
"value": "Impact:\nundici\u0027s ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node\u0027s default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici\u0027s ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T16:46:42.706Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-9697",
"datePublished": "2026-06-17T16:46:42.706Z",
"dateReserved": "2026-05-27T12:02:46.825Z",
"dateUpdated": "2026-07-02T12:05:20.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53267 (GCVE-0-2026-53267)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
netfilter: nft_ct: bail out on template ct in get eval
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: bail out on template ct in get eval
I noticed this issue while looking at a historic syzbot report [1].
A rule like the one below is enough to trigger the bug:
table ip t {
chain pre {
type filter hook prerouting priority raw;
ct zone set 1
ct original saddr 1.2.3.4 accept
}
}
The first expression attaches a per-cpu template ct via
nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all
zero, nf_ct_l3num(ct) == 0). The next expression then calls
nft_ct_get_eval() on the same skb, treats the template as a real ct
and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this
overflows past struct nft_regs on the kernel stack; with smaller
dreg values it silently clobbers adjacent registers.
Reject template ct at the eval entry and in nft_ct_get_fast_eval(),
mirroring the check nft_ct_set_eval() already has. Additionally,
bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len
instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple
before pkt_to_tuple() fills in only the protocol-relevant leading
bytes, so the trailing bytes of tuple->{src,dst}.u3.all are
well-defined zero. priv->len is validated at rule load, so the
copy size is now bounded by the destination register rather than
by an untrusted field on the conntrack.
[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < af80f78ce984649e1698b841cd33f4fa505ad828
(git)
Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 8470f676eadeab99132708acb1a85915664d6115 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < f071b0bf078146368d18e4eec386bf2ddc0ab7e0 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 2e154b5f53f1b0b490c7b8b02499f90feb86b1d5 (git) Affected: 45d9bcda21f4c13be75e3571b0f0ef39e77934b5 , < 3027ecbdb5fdf9200251c21d4818e4c447ef78e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c",
"net/netfilter/nft_ct_fast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af80f78ce984649e1698b841cd33f4fa505ad828",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "8470f676eadeab99132708acb1a85915664d6115",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "f071b0bf078146368d18e4eec386bf2ddc0ab7e0",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "2e154b5f53f1b0b490c7b8b02499f90feb86b1d5",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
},
{
"lessThan": "3027ecbdb5fdf9200251c21d4818e4c447ef78e1",
"status": "affected",
"version": "45d9bcda21f4c13be75e3571b0f0ef39e77934b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c",
"net/netfilter/nft_ct_fast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n table ip t {\n chain pre {\n type filter hook prerouting priority raw;\n ct zone set 1\n ct original saddr 1.2.3.4 accept\n }\n }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -\u003e kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv-\u003elen\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple-\u003e{src,dst}.u3.all are\nwell-defined zero. priv-\u003elen is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:11.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828"
},
{
"url": "https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115"
},
{
"url": "https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0"
},
{
"url": "https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"
},
{
"url": "https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1"
}
],
"title": "netfilter: nft_ct: bail out on template ct in get eval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53267",
"datePublished": "2026-06-25T08:39:53.852Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:11.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53183 (GCVE-0-2026-53183)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
mptcp: allow subflow rcv wnd to shrink
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: allow subflow rcv wnd to shrink
In MPTCP connection, the `window` field in the TCP header refers to the
MPTCP-level rcv_nxt and it's right edge should not move backward. Such
constraint is enforced at DSS option generation time.
At the same time, the TCP stack ensures independently that the TCP-level
rcv wnd right's edge does not move backward. That in turn causes artificial
inflating of the MPTCP rcv window when the incoming data is acked at the
TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
As a consequence, the incoming traffic can exceed the receiver rcvbuf size
even when the sender is not misbehaving.
Prevent such scenario forcibly allowing the TCP subflow to shrink the
TCP-level rcv wnd regardless of the current netns setting.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f3589be0c420a3137e5902d15705ced6a36f3f43 , < bf364b0f10b27679140699821f88af7f01e2a6e3
(git)
Affected: f3589be0c420a3137e5902d15705ced6a36f3f43 , < b1fd13074f22105deec45aa02283e322733e0c2d (git) Affected: f3589be0c420a3137e5902d15705ced6a36f3f43 , < aa3861f40ac32706d9e97bfac76984613e278788 (git) Affected: f3589be0c420a3137e5902d15705ced6a36f3f43 , < 653245266913f03fcf21cbca68eed5c197a33e52 (git) Affected: f3589be0c420a3137e5902d15705ced6a36f3f43 , < c297a4e65c50a2b807d9309b22615080faffa8f3 (git) Affected: f3589be0c420a3137e5902d15705ced6a36f3f43 , < da23be77e1292cd611e736c3aa17da633d7ddce7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf364b0f10b27679140699821f88af7f01e2a6e3",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
},
{
"lessThan": "b1fd13074f22105deec45aa02283e322733e0c2d",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
},
{
"lessThan": "aa3861f40ac32706d9e97bfac76984613e278788",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
},
{
"lessThan": "653245266913f03fcf21cbca68eed5c197a33e52",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
},
{
"lessThan": "c297a4e65c50a2b807d9309b22615080faffa8f3",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
},
{
"lessThan": "da23be77e1292cd611e736c3aa17da633d7ddce7",
"status": "affected",
"version": "f3589be0c420a3137e5902d15705ced6a36f3f43",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: allow subflow rcv wnd to shrink\n\nIn MPTCP connection, the `window` field in the TCP header refers to the\nMPTCP-level rcv_nxt and it\u0027s right edge should not move backward. Such\nconstraint is enforced at DSS option generation time.\n\nAt the same time, the TCP stack ensures independently that the TCP-level\nrcv wnd right\u0027s edge does not move backward. That in turn causes artificial\ninflating of the MPTCP rcv window when the incoming data is acked at the\nTCP level and is OoO in the MPTCP sequence space (or lands in the backlog).\n\nAs a consequence, the incoming traffic can exceed the receiver rcvbuf size\neven when the sender is not misbehaving.\n\nPrevent such scenario forcibly allowing the TCP subflow to shrink the\nTCP-level rcv wnd regardless of the current netns setting."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:57.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf364b0f10b27679140699821f88af7f01e2a6e3"
},
{
"url": "https://git.kernel.org/stable/c/b1fd13074f22105deec45aa02283e322733e0c2d"
},
{
"url": "https://git.kernel.org/stable/c/aa3861f40ac32706d9e97bfac76984613e278788"
},
{
"url": "https://git.kernel.org/stable/c/653245266913f03fcf21cbca68eed5c197a33e52"
},
{
"url": "https://git.kernel.org/stable/c/c297a4e65c50a2b807d9309b22615080faffa8f3"
},
{
"url": "https://git.kernel.org/stable/c/da23be77e1292cd611e736c3aa17da633d7ddce7"
}
],
"title": "mptcp: allow subflow rcv wnd to shrink",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53183",
"datePublished": "2026-06-25T08:38:57.443Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-28T06:39:57.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52924 (GCVE-0-2026-52924)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
sctp: purge outqueue on stale COOKIE-ECHO handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: purge outqueue on stale COOKIE-ECHO handling
sctp_stream_update() is only invoked when the association is moved into
COOKIE_WAIT during association setup/reconfiguration. In this path, the
outbound stream scheduler state (stream->out_curr) is expected to be
clean, since no user data should have been transmitted yet unless the
state machine has already partially progressed.
However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a
Stale Cookie ERROR is received, the association is rolled back from
COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already
have been queued and even bundled with the COOKIE-ECHO chunk.
During the rollback, sctp_stream_update() frees the old stream table
and installs a new one, but it does not invalidate stream->out_curr.
As a result, out_curr may still point to a freed sctp_stream_out
entry from the previous stream state.
Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on
stream->out_curr->ext, which can lead to use-after-free once the old
stream state has been released via sctp_stream_free().
This results in crashes such as (reported by Yuqi):
BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140
Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312
CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted
7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)
sctp_sched_fcfs_dequeue+0x13a/0x140
sctp_outq_flush+0x1603/0x33e0
sctp_do_sm+0x31c9/0x5d30
sctp_assoc_bh_rcv+0x392/0x6f0
sctp_inq_push+0x1db/0x270
sctp_rcv+0x138d/0x3c10
Fix this by fully purging the association outqueue when handling the
Stale Cookie case. This ensures all pending transmit and retransmit
state is dropped, and any scheduler cached pointers are invalidated,
making it safe to rebuild stream state during COOKIE_WAIT restart.
Updating only stream->out_curr would be insufficient, since queued
and retransmittable data would still reference the old stream state and
trigger later use-after-free in dequeue paths.
Severity ?
9.8 (Critical)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < 84b7a319105db2f917ccdcf502bdc866082b1285
(git)
Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8 (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < 3c0741a441a7df7099d7ca6a64a6a0de09c677c8 (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < 2afc9e684dc7fecf73db1edc937ebbc47b4b68dc (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < 1d4652f677906a64487c13f9ace54b0eb263b5d0 (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < a6207349e703cfc04756a4d16dec9176135813a5 (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < 83ade59e5da365f4bf8bce72c5a38774202b442f (git) Affected: 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 , < e374b22e9b07b72a25909621464ff74096151bfb (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Stream Control Transmission Protocol (SCTP) implementation. This vulnerability, a use-after-free, occurs when the system processes a Stale Cookie ERROR during the setup or reconfiguration of an SCTP association. A remote attacker could exploit this by sending specially crafted SCTP packets. This could lead to a system crash, causing a Denial of Service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:46.214Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-52924"
},
{
"name": "RHBZ#2492095",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492095"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52924.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: sctp: purge outqueue on stale COOKIE-ECHO handling",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84b7a319105db2f917ccdcf502bdc866082b1285",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "3c0741a441a7df7099d7ca6a64a6a0de09c677c8",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "2afc9e684dc7fecf73db1edc937ebbc47b4b68dc",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "1d4652f677906a64487c13f9ace54b0eb263b5d0",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "a6207349e703cfc04756a4d16dec9176135813a5",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "83ade59e5da365f4bf8bce72c5a38774202b442f",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
},
{
"lessThan": "e374b22e9b07b72a25909621464ff74096151bfb",
"status": "affected",
"version": "5bbbbe32a43199c2b9ea5ea66fab6241c64beb51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: purge outqueue on stale COOKIE-ECHO handling\n\nsctp_stream_update() is only invoked when the association is moved into\nCOOKIE_WAIT during association setup/reconfiguration. In this path, the\noutbound stream scheduler state (stream-\u003eout_curr) is expected to be\nclean, since no user data should have been transmitted yet unless the\nstate machine has already partially progressed.\n\nHowever, a corner case exists in sctp_sf_do_5_2_6_stale(): when a\nStale Cookie ERROR is received, the association is rolled back from\nCOOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already\nhave been queued and even bundled with the COOKIE-ECHO chunk.\n\nDuring the rollback, sctp_stream_update() frees the old stream table\nand installs a new one, but it does not invalidate stream-\u003eout_curr.\nAs a result, out_curr may still point to a freed sctp_stream_out\nentry from the previous stream state.\n\nLater, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on\nstream-\u003eout_curr-\u003eext, which can lead to use-after-free once the old\nstream state has been released via sctp_stream_free().\n\nThis results in crashes such as (reported by Yuqi):\n\n BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140\n Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312\n CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted\n 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)\n sctp_sched_fcfs_dequeue+0x13a/0x140\n sctp_outq_flush+0x1603/0x33e0\n sctp_do_sm+0x31c9/0x5d30\n sctp_assoc_bh_rcv+0x392/0x6f0\n sctp_inq_push+0x1db/0x270\n sctp_rcv+0x138d/0x3c10\n\nFix this by fully purging the association outqueue when handling the\nStale Cookie case. This ensures all pending transmit and retransmit\nstate is dropped, and any scheduler cached pointers are invalidated,\nmaking it safe to rebuild stream state during COOKIE_WAIT restart.\n\nUpdating only stream-\u003eout_curr would be insufficient, since queued\nand retransmittable data would still reference the old stream state and\ntrigger later use-after-free in dequeue paths."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:46.646Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84b7a319105db2f917ccdcf502bdc866082b1285"
},
{
"url": "https://git.kernel.org/stable/c/f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8"
},
{
"url": "https://git.kernel.org/stable/c/3c0741a441a7df7099d7ca6a64a6a0de09c677c8"
},
{
"url": "https://git.kernel.org/stable/c/2afc9e684dc7fecf73db1edc937ebbc47b4b68dc"
},
{
"url": "https://git.kernel.org/stable/c/1d4652f677906a64487c13f9ace54b0eb263b5d0"
},
{
"url": "https://git.kernel.org/stable/c/a6207349e703cfc04756a4d16dec9176135813a5"
},
{
"url": "https://git.kernel.org/stable/c/83ade59e5da365f4bf8bce72c5a38774202b442f"
},
{
"url": "https://git.kernel.org/stable/c/e374b22e9b07b72a25909621464ff74096151bfb"
}
],
"title": "sctp: purge outqueue on stale COOKIE-ECHO handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52924",
"datePublished": "2026-06-24T07:14:18.646Z",
"dateReserved": "2026-06-09T07:44:35.368Z",
"dateUpdated": "2026-06-30T12:09:46.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53228 (GCVE-0-2026-53228)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
ipv6: sit: reload inner IPv6 header after GSO offloads
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: sit: reload inner IPv6 header after GSO offloads
ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().
For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.
If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.
Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
14909664e4e192f4c6f6fcdccd9919af7cf783ab , < fddd41445a0537b093e6b3f6232c9933cad1e48b
(git)
Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 1132e5edc2866c3530be17622153a597095f0e43 (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 9c67b44edb3598d234efae6e44649eb993c03da5 (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0 (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 59f80c919713250fe5d25a4d9aea4e49580fa1d4 (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < 2fa49b2715e1bad12ce3b0fa64e234d9582c8193 (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c (git) Affected: 14909664e4e192f4c6f6fcdccd9919af7cf783ab , < f0e42f0c4337b1f220de1ddd63f47197c7dee4de (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/sit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fddd41445a0537b093e6b3f6232c9933cad1e48b",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "1132e5edc2866c3530be17622153a597095f0e43",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "9c67b44edb3598d234efae6e44649eb993c03da5",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "59f80c919713250fe5d25a4d9aea4e49580fa1d4",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "2fa49b2715e1bad12ce3b0fa64e234d9582c8193",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
},
{
"lessThan": "f0e42f0c4337b1f220de1ddd63f47197c7dee4de",
"status": "affected",
"version": "14909664e4e192f4c6f6fcdccd9919af7cf783ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/sit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sit: reload inner IPv6 header after GSO offloads\n\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\nentry and continues using it after iptunnel_handle_offloads().\n\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\nWhen the skb header is cloned, skb_header_unclone() can call\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\ncontract requires pointers into the skb header to be reloaded after the\ncall.\n\nIf the later skb_realloc_headroom() branch is not taken, SIT uses the\nstale iph6 pointer to read the inner hop limit and DS field. That can\nread from a freed skb head after the old head\u0027s remaining clone is\nreleased.\n\nReload iph6 after the offload helper succeeds and before subsequent\nreads from the inner IPv6 header. Keep the existing reload after\nskb_realloc_headroom(), since that branch can also replace the skb."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:38.747Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fddd41445a0537b093e6b3f6232c9933cad1e48b"
},
{
"url": "https://git.kernel.org/stable/c/1132e5edc2866c3530be17622153a597095f0e43"
},
{
"url": "https://git.kernel.org/stable/c/9c67b44edb3598d234efae6e44649eb993c03da5"
},
{
"url": "https://git.kernel.org/stable/c/0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0"
},
{
"url": "https://git.kernel.org/stable/c/59f80c919713250fe5d25a4d9aea4e49580fa1d4"
},
{
"url": "https://git.kernel.org/stable/c/2fa49b2715e1bad12ce3b0fa64e234d9582c8193"
},
{
"url": "https://git.kernel.org/stable/c/cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c"
},
{
"url": "https://git.kernel.org/stable/c/f0e42f0c4337b1f220de1ddd63f47197c7dee4de"
}
],
"title": "ipv6: sit: reload inner IPv6 header after GSO offloads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53228",
"datePublished": "2026-06-25T08:39:27.893Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-28T06:40:38.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53209 (GCVE-0-2026-53209)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.
Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63f365eb4d1668a04070151b555d55a07ede8d4b , < 10b0e832cc05d7aef4b92bed912cbd4a395d0862
(git)
Affected: c621211b308816889f0a3246de448bfcef8ab3ab , < 1338ee049a8910ba6c9cee963920e978e6893c7d (git) Affected: 907ef6e12fb558a0763e894311eb245a94c192dd , < 02f50e8bb69f9b22516163a09922f5537d3b12d1 (git) Affected: 5725bc608252050ed8a4d47d59225b7dd73474c8 , < dafc9f57140e66a10945127aa7433c3d715dc253 (git) Affected: 5725bc608252050ed8a4d47d59225b7dd73474c8 , < cdd8bbdbee763fdf5bf343e6f7d4e79347739f62 (git) Affected: 5725bc608252050ed8a4d47d59225b7dd73474c8 , < 5c65b96b549ea2dcfde497436bf9e048deb87758 (git) Affected: 15da883c010cbc2a84aec1738b6ad6ee477846de (git) Affected: 6.1.142 , < 6.1.176 (semver) Affected: 6.6.94 , < 6.6.143 (semver) Affected: 6.12.34 , < 6.12.94 (semver) Affected: 6.15.3 , < 6.16 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10b0e832cc05d7aef4b92bed912cbd4a395d0862",
"status": "affected",
"version": "63f365eb4d1668a04070151b555d55a07ede8d4b",
"versionType": "git"
},
{
"lessThan": "1338ee049a8910ba6c9cee963920e978e6893c7d",
"status": "affected",
"version": "c621211b308816889f0a3246de448bfcef8ab3ab",
"versionType": "git"
},
{
"lessThan": "02f50e8bb69f9b22516163a09922f5537d3b12d1",
"status": "affected",
"version": "907ef6e12fb558a0763e894311eb245a94c192dd",
"versionType": "git"
},
{
"lessThan": "dafc9f57140e66a10945127aa7433c3d715dc253",
"status": "affected",
"version": "5725bc608252050ed8a4d47d59225b7dd73474c8",
"versionType": "git"
},
{
"lessThan": "cdd8bbdbee763fdf5bf343e6f7d4e79347739f62",
"status": "affected",
"version": "5725bc608252050ed8a4d47d59225b7dd73474c8",
"versionType": "git"
},
{
"lessThan": "5c65b96b549ea2dcfde497436bf9e048deb87758",
"status": "affected",
"version": "5725bc608252050ed8a4d47d59225b7dd73474c8",
"versionType": "git"
},
{
"status": "affected",
"version": "15da883c010cbc2a84aec1738b6ad6ee477846de",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: reject oversized Broadcast Announcement prepend\n\nExisting advertising instances can already hold the maximum extended\nadvertising payload. When hci_adv_bcast_annoucement() prepends the\nBroadcast Announcement service data to that payload, the combined data\nmay no longer fit in the temporary buffer used to rebuild the\nadvertising data.\n\nReject that case before copying the existing payload and report the\nfailure through the device log. This keeps the existing advertising\ndata intact and avoids overrunning the temporary buffer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:25.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10b0e832cc05d7aef4b92bed912cbd4a395d0862"
},
{
"url": "https://git.kernel.org/stable/c/1338ee049a8910ba6c9cee963920e978e6893c7d"
},
{
"url": "https://git.kernel.org/stable/c/02f50e8bb69f9b22516163a09922f5537d3b12d1"
},
{
"url": "https://git.kernel.org/stable/c/dafc9f57140e66a10945127aa7433c3d715dc253"
},
{
"url": "https://git.kernel.org/stable/c/cdd8bbdbee763fdf5bf343e6f7d4e79347739f62"
},
{
"url": "https://git.kernel.org/stable/c/5c65b96b549ea2dcfde497436bf9e048deb87758"
}
],
"title": "Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53209",
"datePublished": "2026-06-25T08:39:14.915Z",
"dateReserved": "2026-06-09T07:44:35.391Z",
"dateUpdated": "2026-06-28T06:40:25.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53159 (GCVE-0-2026-53159)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
misc: fastrpc: fix DMA address corruption due to find_vma misuse
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix DMA address corruption due to find_vma misuse
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
80f3afd72bd4149c57daf852905476b43bb47647 , < 2d0f47e27c1fa718b29c69aa7c96a2c5161bc2c2
(git)
Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < 708c17b52c60fe7a57e73b495bdee50f58feb48c (git) Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < d3e26df2e8eb361e6bef096b2fd565476a1f14c4 (git) Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < e69e306a4cccb40a73511350cb280825a556ce3c (git) Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < 53e06f8a3c2b085c31bf1284e2ebcb8036e99625 (git) Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < 7ba7b30ddb04646d4d638f4d8c4718a304bbbddd (git) Affected: 80f3afd72bd4149c57daf852905476b43bb47647 , < 464c6ad2aa16e1e1df9d559289199356493d1e00 (git) Affected: 954edc466128479872731d06f026d0e71840d153 (git) Affected: 5.1.6 , < 5.2 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d0f47e27c1fa718b29c69aa7c96a2c5161bc2c2",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "708c17b52c60fe7a57e73b495bdee50f58feb48c",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "d3e26df2e8eb361e6bef096b2fd565476a1f14c4",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "e69e306a4cccb40a73511350cb280825a556ce3c",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "53e06f8a3c2b085c31bf1284e2ebcb8036e99625",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "7ba7b30ddb04646d4d638f4d8c4718a304bbbddd",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"lessThan": "464c6ad2aa16e1e1df9d559289199356493d1e00",
"status": "affected",
"version": "80f3afd72bd4149c57daf852905476b43bb47647",
"versionType": "git"
},
{
"status": "affected",
"version": "954edc466128479872731d06f026d0e71840d153",
"versionType": "git"
},
{
"lessThan": "5.2",
"status": "affected",
"version": "5.1.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix DMA address corruption due to find_vma misuse\n\nfastrpc_get_args() uses find_vma() to look up the VMA for a user-provided\npointer and compute a DMA address offset. When the address falls in a gap\nbefore the returned VMA, (ptr \u0026 PAGE_MASK) - vma-\u003evm_start underflows,\ncorrupting the DMA address sent to the DSP.\n\nReplace find_vma() with vma_lookup(), which returns NULL when the address\nis not contained within any VMA."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:41.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d0f47e27c1fa718b29c69aa7c96a2c5161bc2c2"
},
{
"url": "https://git.kernel.org/stable/c/708c17b52c60fe7a57e73b495bdee50f58feb48c"
},
{
"url": "https://git.kernel.org/stable/c/d3e26df2e8eb361e6bef096b2fd565476a1f14c4"
},
{
"url": "https://git.kernel.org/stable/c/e69e306a4cccb40a73511350cb280825a556ce3c"
},
{
"url": "https://git.kernel.org/stable/c/53e06f8a3c2b085c31bf1284e2ebcb8036e99625"
},
{
"url": "https://git.kernel.org/stable/c/7ba7b30ddb04646d4d638f4d8c4718a304bbbddd"
},
{
"url": "https://git.kernel.org/stable/c/464c6ad2aa16e1e1df9d559289199356493d1e00"
}
],
"title": "misc: fastrpc: fix DMA address corruption due to find_vma misuse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53159",
"datePublished": "2026-06-25T08:38:41.482Z",
"dateReserved": "2026-06-09T07:44:35.388Z",
"dateUpdated": "2026-06-25T08:38:41.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53264 (GCVE-0-2026-53264)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: use RCU with deferred freeing for action lifecycle
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 98b2e40879abf0245be5a5b7af69e0f6ff524ac3
(git)
Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 18af5d2ef0c4f65787fd1280c8b23286b9f2a835 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 1f1b98fea6b9ea30507d0f2fbff6750292d097e2 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 8b136f18ac4b2ace5aaad3305b3f8a5d8165a009 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 5dd51e09020c65aa53cf128e5e3517cd53b3c113 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < b60e9391142e983fab2be53497aa8f71fdd09cd5 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 91d105d2cbe002f9c7b43a6183adedc37e1da1f7 (git) Affected: d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da , < 5057e1aca011e51ef51498c940ef96f3d3e8a305 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98b2e40879abf0245be5a5b7af69e0f6ff524ac3",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "18af5d2ef0c4f65787fd1280c8b23286b9f2a835",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "1f1b98fea6b9ea30507d0f2fbff6750292d097e2",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "8b136f18ac4b2ace5aaad3305b3f8a5d8165a009",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "5dd51e09020c65aa53cf128e5e3517cd53b3c113",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "b60e9391142e983fab2be53497aa8f71fdd09cd5",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "91d105d2cbe002f9c7b43a6183adedc37e1da1f7",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
},
{
"lessThan": "5057e1aca011e51ef51498c940ef96f3d3e8a305",
"status": "affected",
"version": "d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet\u0027s illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() \u003c-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) \u003c-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() \u003c-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index) \u003c-- Action removed from IDR\n 1: mutex_unlock() \u003c-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) \u003c-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet\u0027s illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(\u0026p-\u003etcfa_rcu, tcf_action_rcu_free) \u003c-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- fails, refcnt already 0\n 1: rcu_read_unlock() \u003c-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0\u0027s subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:06.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3"
},
{
"url": "https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835"
},
{
"url": "https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2"
},
{
"url": "https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009"
},
{
"url": "https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113"
},
{
"url": "https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5"
},
{
"url": "https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7"
},
{
"url": "https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305"
}
],
"title": "net/sched: act_api: use RCU with deferred freeing for action lifecycle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53264",
"datePublished": "2026-06-25T08:39:51.870Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:06.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53214 (GCVE-0-2026-53214)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
ipv6: Fix a potential NPD in cleanup_prefix_route()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix a potential NPD in cleanup_prefix_route()
addrconf_get_prefix_route() can return the fib6_null_entry sentinel
entry which has a NULL fib6_table pointer. Therefore, before setting the
route's expiration time, check that we are not working with this entry,
as otherwise a NPD will be triggered [1].
Note that the other callers of addrconf_get_prefix_route() are not
susceptible to this bug:
1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF |
RTF_PREFIX_RT' flags which are not set on fib6_null_entry.
2. modify_prefix_route(): Fixed by commit a747e02430df ("ipv6: avoid
possible NULL deref in modify_prefix_route()").
3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for
fib6_null_entry and returns an error.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[...]
Call Trace:
<TASK>
__kasan_check_byte (mm/kasan/common.c:573)
lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))
_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))
cleanup_prefix_route (net/ipv6/addrconf.c:1280)
ipv6_del_addr (net/ipv6/addrconf.c:1342)
inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)
inet6_rtm_deladdr (net/ipv6/addrconf.c:4812)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6997)
netlink_rcv_skb (net/netlink/af_netlink.c:2555)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1899)
__sock_sendmsg (net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bd12abe294c7738421bdfbc486f1909d02db30e9 , < 5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2
(git)
Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < 192df376a05c2db15564640f9da7e20907c1fa24 (git) Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < 07d9a0870a178843cea44cfd58c27445dc94cf5f (git) Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < 653a2849305708f75260b5296f17b2a759ff9cc7 (git) Affected: 5eb902b8e7193cdcb33242af0a56502e6b5206e9 , < b70c687b7cf267fb08586667a3946c8851cad672 (git) Affected: 6.6.120 , < 6.6.143 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2",
"status": "affected",
"version": "bd12abe294c7738421bdfbc486f1909d02db30e9",
"versionType": "git"
},
{
"lessThan": "192df376a05c2db15564640f9da7e20907c1fa24",
"status": "affected",
"version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
"versionType": "git"
},
{
"lessThan": "07d9a0870a178843cea44cfd58c27445dc94cf5f",
"status": "affected",
"version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
"versionType": "git"
},
{
"lessThan": "653a2849305708f75260b5296f17b2a759ff9cc7",
"status": "affected",
"version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
"versionType": "git"
},
{
"lessThan": "b70c687b7cf267fb08586667a3946c8851cad672",
"status": "affected",
"version": "5eb902b8e7193cdcb33242af0a56502e6b5206e9",
"versionType": "git"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix a potential NPD in cleanup_prefix_route()\n\naddrconf_get_prefix_route() can return the fib6_null_entry sentinel\nentry which has a NULL fib6_table pointer. Therefore, before setting the\nroute\u0027s expiration time, check that we are not working with this entry,\nas otherwise a NPD will be triggered [1].\n\nNote that the other callers of addrconf_get_prefix_route() are not\nsusceptible to this bug:\n\n1. addrconf_prefix_rcv(): Requests a route with the \u0027RTF_ADDRCONF |\n RTF_PREFIX_RT\u0027 flags which are not set on fib6_null_entry.\n\n2. modify_prefix_route(): Fixed by commit a747e02430df (\"ipv6: avoid\n possible NULL deref in modify_prefix_route()\").\n\n3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for\n fib6_null_entry and returns an error.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[...]\nCall Trace:\n\u003cTASK\u003e\n__kasan_check_byte (mm/kasan/common.c:573)\nlock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))\n_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))\ncleanup_prefix_route (net/ipv6/addrconf.c:1280)\nipv6_del_addr (net/ipv6/addrconf.c:1342)\ninet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)\ninet6_rtm_deladdr (net/ipv6/addrconf.c:4812)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6997)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2555)\nnetlink_unicast (net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1899)\n__sock_sendmsg (net/socket.c:802 (discriminator 4))\n____sys_sendmsg (net/socket.c:2698)\n___sys_sendmsg (net/socket.c:2752)\n__sys_sendmsg (net/socket.c:2784)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:18.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2"
},
{
"url": "https://git.kernel.org/stable/c/192df376a05c2db15564640f9da7e20907c1fa24"
},
{
"url": "https://git.kernel.org/stable/c/07d9a0870a178843cea44cfd58c27445dc94cf5f"
},
{
"url": "https://git.kernel.org/stable/c/653a2849305708f75260b5296f17b2a759ff9cc7"
},
{
"url": "https://git.kernel.org/stable/c/b70c687b7cf267fb08586667a3946c8851cad672"
}
],
"title": "ipv6: Fix a potential NPD in cleanup_prefix_route()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53214",
"datePublished": "2026-06-25T08:39:18.209Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-25T08:39:18.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53247 (GCVE-0-2026-53247)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst
with kfree() immediately, bypassing the RCU grace period.
In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from
the skb to the metadata_dst. This function requires RCU read-side
protection and the dst must remain valid until all RCU readers complete.
Since metadata_dst_free() calls kfree() directly, a use-after-free can
occur if any skb still holds a noref pointer to the dst when the driver
tears it down.
Replace metadata_dst_free() with dst_release() which properly goes
through the refcount path: when the refcount drops to zero, it schedules
the actual free via call_rcu_hurry(), ensuring all RCU readers have
completed before the memory is freed.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d7605a729062bb554f03c5983d8cfb8c0b42e9c , < 72775977e89c25c99ee84d2c5baa3f86a8ba5cb4
(git)
Affected: 2d7605a729062bb554f03c5983d8cfb8c0b42e9c , < 459c6f35c58cf0fd5247e55d73ddaa29571d9b7e (git) Affected: 2d7605a729062bb554f03c5983d8cfb8c0b42e9c , < e634408d2b0cd939cfe019398a21fb47b7a8ffe3 (git) Affected: 2d7605a729062bb554f03c5983d8cfb8c0b42e9c , < 2d86aeb46d5f69c704065a8c69822582787272a1 (git) Affected: 2d7605a729062bb554f03c5983d8cfb8c0b42e9c , < 80df409e1a483676826a6c66e693dba6ac507751 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72775977e89c25c99ee84d2c5baa3f86a8ba5cb4",
"status": "affected",
"version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
"versionType": "git"
},
{
"lessThan": "459c6f35c58cf0fd5247e55d73ddaa29571d9b7e",
"status": "affected",
"version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
"versionType": "git"
},
{
"lessThan": "e634408d2b0cd939cfe019398a21fb47b7a8ffe3",
"status": "affected",
"version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
"versionType": "git"
},
{
"lessThan": "2d86aeb46d5f69c704065a8c69822582787272a1",
"status": "affected",
"version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
"versionType": "git"
},
{
"lessThan": "80df409e1a483676826a6c66e693dba6ac507751",
"status": "affected",
"version": "2d7605a729062bb554f03c5983d8cfb8c0b42e9c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n\nmtk_free_dev() calls metadata_dst_free() which frees the metadata_dst\nwith kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, a use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:53.820Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72775977e89c25c99ee84d2c5baa3f86a8ba5cb4"
},
{
"url": "https://git.kernel.org/stable/c/459c6f35c58cf0fd5247e55d73ddaa29571d9b7e"
},
{
"url": "https://git.kernel.org/stable/c/e634408d2b0cd939cfe019398a21fb47b7a8ffe3"
},
{
"url": "https://git.kernel.org/stable/c/2d86aeb46d5f69c704065a8c69822582787272a1"
},
{
"url": "https://git.kernel.org/stable/c/80df409e1a483676826a6c66e693dba6ac507751"
}
],
"title": "net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53247",
"datePublished": "2026-06-25T08:39:40.654Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-28T06:40:53.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53274 (GCVE-0-2026-53274)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.
The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.
Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[ 240.123489] Call Trace:
[ 240.123501] smc_shutdown+...
[ 240.123512] lock_sock_nested+...
This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < 35a22117839602bb52283de08894c5a7dde92420
(git)
Affected: a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < 5d27d2ffe487df89ce28fda0410eafa05dbe03a0 (git) Affected: a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < 89f6fbe0033c942cb790ffd53ca93a45eeaf1c91 (git) Affected: a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < dcd90f42a33e4220385f27b515183d0c91b2fc4a (git) Affected: a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < 94d286fa5eedc550d42bcb9c85416af8f77736ff (git) Affected: a6a6fe27bab48f0d09a64b051e7bde432fcae081 , < a3fdd924d88c30b9f488636ce0e4696012cf5511 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35a22117839602bb52283de08894c5a7dde92420",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
},
{
"lessThan": "5d27d2ffe487df89ce28fda0410eafa05dbe03a0",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
},
{
"lessThan": "89f6fbe0033c942cb790ffd53ca93a45eeaf1c91",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
},
{
"lessThan": "dcd90f42a33e4220385f27b515183d0c91b2fc4a",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
},
{
"lessThan": "94d286fa5eedc550d42bcb9c85416af8f77736ff",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
},
{
"lessThan": "a3fdd924d88c30b9f488636ce0e4696012cf5511",
"status": "affected",
"version": "a6a6fe27bab48f0d09a64b051e7bde432fcae081",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS\n\nA logic flaw in __smc_setsockopt() allows a local unprivileged user to\ncause a Denial of Service (DoS) by holding the socket lock indefinitely.\n\nThe function __smc_setsockopt() calls copy_from_sockptr() while holding\nlock_sock(sk). By passing a userfaultfd-monitored memory page (or\nFUSE-backed memory on systems where unprivileged userfaultfd is disabled)\nas the optval, an attacker can halt execution during the copy operation,\nkeeping the lock held.\n\nCombined with asynchronous tear-down operations like shutdown(), this\nexhausts the kernel wq (kworkers) and triggers the hung task watchdog.\n\n[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.\n[ 240.123489] Call Trace:\n[ 240.123501] smc_shutdown+...\n[ 240.123512] lock_sock_nested+...\n\nThis patch moves the user-space copy outside the lock_sock() critical\nsection to prevent the issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:58.478Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35a22117839602bb52283de08894c5a7dde92420"
},
{
"url": "https://git.kernel.org/stable/c/5d27d2ffe487df89ce28fda0410eafa05dbe03a0"
},
{
"url": "https://git.kernel.org/stable/c/89f6fbe0033c942cb790ffd53ca93a45eeaf1c91"
},
{
"url": "https://git.kernel.org/stable/c/dcd90f42a33e4220385f27b515183d0c91b2fc4a"
},
{
"url": "https://git.kernel.org/stable/c/94d286fa5eedc550d42bcb9c85416af8f77736ff"
},
{
"url": "https://git.kernel.org/stable/c/a3fdd924d88c30b9f488636ce0e4696012cf5511"
}
],
"title": "net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53274",
"datePublished": "2026-06-25T08:39:58.478Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-25T08:39:58.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53149 (GCVE-0-2026-53149)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
thunderbolt: Bound root directory content to block size
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Bound root directory content to block size
__tb_property_parse_dir() does not check that content_offset +
content_len fits within block_len for the root directory case.
When rootdir->length equals or exceeds block_len - 2, the entry
loop reads past the allocated property block.
Add a bounds check after computing content_offset and content_len
to reject directories whose content extends past the block.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 5c7657d38d07268124782f03519f07c22a5814fb
(git)
Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < b212bc161d8a9937b42153723a4a3f2f74fab528 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 1912be23daf4afc8d24ce916021ab68ca4c679db (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 4d0b1524caadb04c10a71f3f88692c63dcb39115 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 0a32040a48db8cf35de48b85d6115df5623e4964 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 60ba6217460792356a238299edd675d91d46bab4 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < cbeb68cbaa0a6f979ef428a7f2d0268c082ba166 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 65423079c7420e3dbf9a7aa345c243a3f5752e5d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c7657d38d07268124782f03519f07c22a5814fb",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "b212bc161d8a9937b42153723a4a3f2f74fab528",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "1912be23daf4afc8d24ce916021ab68ca4c679db",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "4d0b1524caadb04c10a71f3f88692c63dcb39115",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "0a32040a48db8cf35de48b85d6115df5623e4964",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "60ba6217460792356a238299edd675d91d46bab4",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "cbeb68cbaa0a6f979ef428a7f2d0268c082ba166",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "65423079c7420e3dbf9a7aa345c243a3f5752e5d",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Bound root directory content to block size\n\n__tb_property_parse_dir() does not check that content_offset +\ncontent_len fits within block_len for the root directory case.\nWhen rootdir-\u003elength equals or exceeds block_len - 2, the entry\nloop reads past the allocated property block.\n\nAdd a bounds check after computing content_offset and content_len\nto reject directories whose content extends past the block."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:34.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c7657d38d07268124782f03519f07c22a5814fb"
},
{
"url": "https://git.kernel.org/stable/c/b212bc161d8a9937b42153723a4a3f2f74fab528"
},
{
"url": "https://git.kernel.org/stable/c/1912be23daf4afc8d24ce916021ab68ca4c679db"
},
{
"url": "https://git.kernel.org/stable/c/4d0b1524caadb04c10a71f3f88692c63dcb39115"
},
{
"url": "https://git.kernel.org/stable/c/0a32040a48db8cf35de48b85d6115df5623e4964"
},
{
"url": "https://git.kernel.org/stable/c/60ba6217460792356a238299edd675d91d46bab4"
},
{
"url": "https://git.kernel.org/stable/c/cbeb68cbaa0a6f979ef428a7f2d0268c082ba166"
},
{
"url": "https://git.kernel.org/stable/c/65423079c7420e3dbf9a7aa345c243a3f5752e5d"
}
],
"title": "thunderbolt: Bound root directory content to block size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53149",
"datePublished": "2026-06-25T08:38:34.869Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-25T08:38:34.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53215 (GCVE-0-2026-53215)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
net: mvpp2: refill RX buffers before XDP or skb use
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: refill RX buffers before XDP or skb use
The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.
mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.
Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
07dd0a7aae7f72af7cec18909581c2bb570edddc , < a88b3293b556f4d8fba11db9a8061a6b0d3b69e6
(git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < a03cdcedb2cbcc42551dc3e4746929e93c5352d5 (git) Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 580f92f27cb8724bcc4be98ee89890eab524a2ae (git) Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < d0c8c4fbd22d260fe28530260656c5fb3c20ce84 (git) Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 8a2126c5afe89f8ceeb60a3afb9f075b736194cd (git) Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 02e1b5c4d3b4c658b72c145427cded1bba613fc1 (git) Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 (git) Affected: 95a936364f2685e9e040c6b179b553604d96de22 (git) Affected: fba2cf348d9eb50b2049a73cc09313dab6d293f1 (git) Affected: 5.7.15 , < 5.8 (semver) Affected: 5.8.2 , < 5.9 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88b3293b556f4d8fba11db9a8061a6b0d3b69e6",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "a03cdcedb2cbcc42551dc3e4746929e93c5352d5",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "580f92f27cb8724bcc4be98ee89890eab524a2ae",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "d0c8c4fbd22d260fe28530260656c5fb3c20ce84",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "8a2126c5afe89f8ceeb60a3afb9f075b736194cd",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "02e1b5c4d3b4c658b72c145427cded1bba613fc1",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"lessThan": "5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6",
"status": "affected",
"version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
"versionType": "git"
},
{
"status": "affected",
"version": "95a936364f2685e9e040c6b179b553604d96de22",
"versionType": "git"
},
{
"status": "affected",
"version": "fba2cf348d9eb50b2049a73cc09313dab6d293f1",
"versionType": "git"
},
{
"lessThan": "5.8",
"status": "affected",
"version": "5.7.15",
"versionType": "semver"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:28.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6"
},
{
"url": "https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5"
},
{
"url": "https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae"
},
{
"url": "https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84"
},
{
"url": "https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd"
},
{
"url": "https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1"
},
{
"url": "https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6"
}
],
"title": "net: mvpp2: refill RX buffers before XDP or skb use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53215",
"datePublished": "2026-06-25T08:39:18.875Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-28T06:40:28.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53080 (GCVE-0-2026-53080)
Vulnerability from cvelistv5 – Published: 2026-06-24 16:30 – Updated: 2026-06-24 16:30
VLAI?
EPSS
Title
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:
# ip link add dev crash0 type dummy
# ip link set dev crash0 up
# mausezahn crash0 -c 100000 -P 10 \
> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
# sleep 1
# tc qdisc add dev crash0 egress_block 1 clsact
# tc filter add block 1 protocol ip prio 1 matchall \
> action skbedit mark 65536 continue
# tc filter add block 1 protocol ip prio 2 fw
# ip link del dev crash0
can still make fw_classify() hit the WARN_ON() in [2]:
WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
Modules linked in: cls_fw(E) act_skbedit(E)
CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
Call Trace:
<TASK>
tcf_classify+0x17d/0x5c0
tc_run+0x9d/0x150
__dev_queue_xmit+0x2ab/0x14d0
ip_finish_output2+0x340/0x8f0
ip_output+0xa4/0x250
raw_sendmsg+0x147d/0x14b0
__sys_sendto+0x1cc/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x126/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fca40e822ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
</TASK>
irq event stamp: 1045778
hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0
Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:
BUG: kernel NULL pointer dereference, address: 0000000000000038
[...]
RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
[...]
Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.
[1] https://sashiko.dev/#/patchset/2
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < a719275da488835e987d28effc04679b4aace3a0
(git)
Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < c205da704c84eeb4247d770150440294fd547049 (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 5dcce34c57d5e5990869384d69deeb9414bf9b92 (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 5df49f0579f7e625f2358a219d31fbc7621be799 (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 41845bc5bb64f3d615abe575ad655b5e7f193634 (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 4fabcfea7a9dd159df32c5df6587fe858cb0d748 (git) Affected: ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 , < 65782b2db7321d5f97c16718c4c7f6c7205a56be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a719275da488835e987d28effc04679b4aace3a0",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "c205da704c84eeb4247d770150440294fd547049",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "5dcce34c57d5e5990869384d69deeb9414bf9b92",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "5df49f0579f7e625f2358a219d31fbc7621be799",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "41845bc5bb64f3d615abe575ad655b5e7f193634",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "4fabcfea7a9dd159df32c5df6587fe858cb0d748",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
},
{
"lessThan": "65782b2db7321d5f97c16718c4c7f6c7205a56be",
"status": "affected",
"version": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their -\u003echange()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn crash0 -c 100000 -P 10 \\\n \u003e -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q \u0026\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n \u003e action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 \u003c0f\u003e 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n tcf_classify+0x17d/0x5c0\n tc_run+0x9d/0x150\n __dev_queue_xmit+0x2ab/0x14d0\n ip_finish_output2+0x340/0x8f0\n ip_output+0xa4/0x250\n raw_sendmsg+0x147d/0x14b0\n __sys_sendto+0x1cc/0x1f0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x126/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n \u003c/TASK\u003e\n irq event stamp: 1045778\n hardirqs last enabled at (1045784): [\u003cffffffff864ec042\u003e] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [\u003cffffffff864ec027\u003e] __up_console_sem+0x37/0x60\n softirqs last enabled at (1045426): [\u003cffffffff874d48c7\u003e] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [\u003cffffffff874fe8f8\u003e] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet\u0027s mark, dereference on \u0027q-\u003ehandle\u0027\nwith NULL \u0027q\u0027 occurs:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T16:30:21.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0"
},
{
"url": "https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049"
},
{
"url": "https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92"
},
{
"url": "https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799"
},
{
"url": "https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c"
},
{
"url": "https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634"
},
{
"url": "https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748"
},
{
"url": "https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be"
}
],
"title": "net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53080",
"datePublished": "2026-06-24T16:30:21.172Z",
"dateReserved": "2026-06-09T07:44:35.383Z",
"dateUpdated": "2026-06-24T16:30:21.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52919 (GCVE-0-2026-52919)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
batman-adv: fix tp_meter counter underflow during shutdown
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix tp_meter counter underflow during shutdown
batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.
Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.
Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.
[sven: added missing change in batadv_tp_send]
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < e75e2ab463b5b34df6b98f94d740aff327ce9f6b
(git)
Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < abae88fa254f2981d39ac003a7b302528a22af64 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < c66d20a3ff095e3f000551d208ec2606616db15c (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < c1bac194733aabd731aafa6a01350c229e187dba (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 01cefc5923889e29dbb5f281c3d457714ceb9c00 (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 90ae3eae06b7b8ab9f6250b9497c860915b4c17b (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < aeae11c5dad9cd0d50723890bdd866f8e6db2e7d (git) Affected: 33a3bb4a3345bb511f9c69c913da95d4693e2a4e , < 94f3b133168d1c49895e7cc6afbcf1cc0b354602 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tp_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e75e2ab463b5b34df6b98f94d740aff327ce9f6b",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "abae88fa254f2981d39ac003a7b302528a22af64",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "c66d20a3ff095e3f000551d208ec2606616db15c",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "c1bac194733aabd731aafa6a01350c229e187dba",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "01cefc5923889e29dbb5f281c3d457714ceb9c00",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "90ae3eae06b7b8ab9f6250b9497c860915b4c17b",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "aeae11c5dad9cd0d50723890bdd866f8e6db2e7d",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
},
{
"lessThan": "94f3b133168d1c49895e7cc6afbcf1cc0b354602",
"status": "affected",
"version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/tp_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix tp_meter counter underflow during shutdown\n\nbatadv_tp_sender_shutdown() unconditionally decrements the \"sending\"\natomic counter. If multiple paths (e.g. timeout, user cancel, and\nnormal finish) call this function, the counter can underflow to -1.\n\nSince the sender logic treats any non-zero value as \"still sending\",\na negative value causes the sender kthread to loop indefinitely.\nThis leads to a use-after-free when the interface is removed while\nthe zombie thread is still active.\n\nFix this by using atomic_xchg() to ensure the counter only transitions\nfrom 1 to 0 once.\n\n[sven: added missing change in batadv_tp_send]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:40.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b"
},
{
"url": "https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64"
},
{
"url": "https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c"
},
{
"url": "https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba"
},
{
"url": "https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00"
},
{
"url": "https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b"
},
{
"url": "https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d"
},
{
"url": "https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602"
}
],
"title": "batman-adv: fix tp_meter counter underflow during shutdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52919",
"datePublished": "2026-06-24T07:14:15.201Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-28T06:36:40.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53266 (GCVE-0-2026-53266)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
netfilter: bridge: make ebt_snat ARP rewrite writable
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bridge: make ebt_snat ARP rewrite writable
The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0). This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.
However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:
skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)
skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable. If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.
Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63137bc5882a1882c553d389fdeeeace86ee1741 , < bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87
(git)
Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < 76280b78cc9f23bdc6438e10ad6dff148ef8375b (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < b7e91939ba9be805a62a257fa4e227dffbb88fa0 (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < afd64b59c3de9bbbdd3759e834fdc55cda716e0b (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < 153ea96c806aea395daba907a4f88480b6ad5093 (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < b18675263db1147c8e1cab625400c13a0d87bd2d (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5 (git) Affected: 63137bc5882a1882c553d389fdeeeace86ee1741 , < 67ba971ae02514d85818fe0c32549ab4bfa3bf49 (git) Affected: 2f3839075a5f8dcf116c1abe35b36b018ac62445 (git) Affected: 51ba2945a8ef65ae437c8f9ba05f0343aa82ae5b (git) Affected: b7d23c2c87584eb429f115c078ed511be8b18e29 (git) Affected: 5.4.73 , < 5.5 (semver) Affected: 5.8.17 , < 5.9 (semver) Affected: 5.9.2 , < 5.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebt_snat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "76280b78cc9f23bdc6438e10ad6dff148ef8375b",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "b7e91939ba9be805a62a257fa4e227dffbb88fa0",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "afd64b59c3de9bbbdd3759e834fdc55cda716e0b",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "153ea96c806aea395daba907a4f88480b6ad5093",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "b18675263db1147c8e1cab625400c13a0d87bd2d",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"lessThan": "67ba971ae02514d85818fe0c32549ab4bfa3bf49",
"status": "affected",
"version": "63137bc5882a1882c553d389fdeeeace86ee1741",
"versionType": "git"
},
{
"status": "affected",
"version": "2f3839075a5f8dcf116c1abe35b36b018ac62445",
"versionType": "git"
},
{
"status": "affected",
"version": "51ba2945a8ef65ae437c8f9ba05f0343aa82ae5b",
"versionType": "git"
},
{
"status": "affected",
"version": "b7d23c2c87584eb429f115c078ed511be8b18e29",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.73",
"versionType": "semver"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.17",
"versionType": "semver"
},
{
"lessThan": "5.10",
"status": "affected",
"version": "5.9.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebt_snat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: make ebt_snat ARP rewrite writable\n\nThe ebtables SNAT target keeps the Ethernet source address rewrite\nbehind skb_ensure_writable(skb, 0). This is intentional: at the bridge\nebtables hooks the Ethernet header is addressed through\nskb_mac_header()/eth_hdr(), while skb-\u003edata points at the Ethernet\npayload. Asking skb_ensure_writable() for ETH_HLEN bytes would check\nthe payload, not the Ethernet header, and would reintroduce the small\npacket regression fixed by commit 63137bc5882a.\n\nHowever, the optional ARP sender hardware address rewrite is different.\nIt writes through skb_store_bits() at an offset relative to skb-\u003edata:\n\n skb_store_bits(skb, sizeof(struct arphdr), info-\u003emac, ETH_ALEN)\n\nskb_header_pointer() only safely reads the ARP header; it does not make\nthe later sender hardware address range writable. If that range is\nstill held in a nonlinear skb fragment backed by a splice-imported file\npage, skb_store_bits() maps the frag page and copies the new MAC address\ndirectly into it.\n\nEnsure the ARP SHA range is writable before reading the ARP header and\nbefore calling skb_store_bits()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:09.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87"
},
{
"url": "https://git.kernel.org/stable/c/76280b78cc9f23bdc6438e10ad6dff148ef8375b"
},
{
"url": "https://git.kernel.org/stable/c/b7e91939ba9be805a62a257fa4e227dffbb88fa0"
},
{
"url": "https://git.kernel.org/stable/c/afd64b59c3de9bbbdd3759e834fdc55cda716e0b"
},
{
"url": "https://git.kernel.org/stable/c/153ea96c806aea395daba907a4f88480b6ad5093"
},
{
"url": "https://git.kernel.org/stable/c/b18675263db1147c8e1cab625400c13a0d87bd2d"
},
{
"url": "https://git.kernel.org/stable/c/c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5"
},
{
"url": "https://git.kernel.org/stable/c/67ba971ae02514d85818fe0c32549ab4bfa3bf49"
}
],
"title": "netfilter: bridge: make ebt_snat ARP rewrite writable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53266",
"datePublished": "2026-06-25T08:39:53.190Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:09.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53249 (GCVE-0-2026-53249)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.
This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.
While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.
RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cd6e9ed49347d3a2fdaaf07e32fb524756dddc2
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a87c3e8f03ce655ed0ef500d64d5fd924ec3691 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 89343ff12b3178fc236fe531a3603e7c97c68278 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8ff85dbabbbfb05e86e6cde31d91ac5782179d4d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 00e8845fe3428c69e980dce5071cb3da1d8f7578 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4f3fd6516920988c47ba8d19714985c40c816a1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 28f5ad1b4055405eb1616e603fe511ba5e3725e7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_options.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cd6e9ed49347d3a2fdaaf07e32fb524756dddc2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a87c3e8f03ce655ed0ef500d64d5fd924ec3691",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89343ff12b3178fc236fe531a3603e7c97c68278",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8ff85dbabbbfb05e86e6cde31d91ac5782179d4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00e8845fe3428c69e980dce5071cb3da1d8f7578",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4f3fd6516920988c47ba8d19714985c40c816a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28f5ad1b4055405eb1616e603fe511ba5e3725e7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_options.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: restrict IPOPT_SSRR and IPOPT_LSRR options\n\nThis patch restricts setting Loose Source and Record Route (LSRR)\nand Strict Source and Record Route (SSRR) IP options to users\nwith CAP_NET_RAW capability.\n\nThis prevents unprivileged applications from forcing packets to route\nthrough attacker-controlled nodes to leak TCP ISN and possibly other\nprotocol information.\n\nWhile LSRR and SSRR are commonly filtered in many network environments,\nthey may still be supported and forwarded along some network paths.\n\nRFC 7126 (Recommendations on Filtering of IPv4 Packets Containing\nIPv4 Options) recommend to drop these options in 4.3 and 4.4."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:41.971Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cd6e9ed49347d3a2fdaaf07e32fb524756dddc2"
},
{
"url": "https://git.kernel.org/stable/c/2a87c3e8f03ce655ed0ef500d64d5fd924ec3691"
},
{
"url": "https://git.kernel.org/stable/c/89343ff12b3178fc236fe531a3603e7c97c68278"
},
{
"url": "https://git.kernel.org/stable/c/8ff85dbabbbfb05e86e6cde31d91ac5782179d4d"
},
{
"url": "https://git.kernel.org/stable/c/00e8845fe3428c69e980dce5071cb3da1d8f7578"
},
{
"url": "https://git.kernel.org/stable/c/a4f3fd6516920988c47ba8d19714985c40c816a1"
},
{
"url": "https://git.kernel.org/stable/c/28f5ad1b4055405eb1616e603fe511ba5e3725e7"
},
{
"url": "https://git.kernel.org/stable/c/d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c"
}
],
"title": "ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53249",
"datePublished": "2026-06-25T08:39:41.971Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-25T08:39:41.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53236 (GCVE-0-2026-53236)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
tcp: restrict SO_ATTACH_FILTER to priv users
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: restrict SO_ATTACH_FILTER to priv users
This patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets
to users with CAP_NET_ADMIN capability.
This blocks potential side-channel attack where an unprivileged application
attaches a filter to leak TCP sequence/acknowledgment numbers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3747de241a66ef2c7032d2cc2b826a47c5fa0f6a
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ecfe9171b26ae3eed0cd8bab7a943e9e2c9e51ba (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82b3e7ce10c53fc12aab8904745603efc74f8c07 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ede69b8f6670600e534591664584f810d7c385f9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c68517a3e18e20997808821c5559d0cba4d776c1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d39580f68e6ddeedd15e587282207489dfb3da2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3747de241a66ef2c7032d2cc2b826a47c5fa0f6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecfe9171b26ae3eed0cd8bab7a943e9e2c9e51ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82b3e7ce10c53fc12aab8904745603efc74f8c07",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ede69b8f6670600e534591664584f810d7c385f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c68517a3e18e20997808821c5559d0cba4d776c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d39580f68e6ddeedd15e587282207489dfb3da2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: restrict SO_ATTACH_FILTER to priv users\n\nThis patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets\nto users with CAP_NET_ADMIN capability.\n\nThis blocks potential side-channel attack where an unprivileged application\nattaches a filter to leak TCP sequence/acknowledgment numbers."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:33.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3747de241a66ef2c7032d2cc2b826a47c5fa0f6a"
},
{
"url": "https://git.kernel.org/stable/c/ecfe9171b26ae3eed0cd8bab7a943e9e2c9e51ba"
},
{
"url": "https://git.kernel.org/stable/c/82b3e7ce10c53fc12aab8904745603efc74f8c07"
},
{
"url": "https://git.kernel.org/stable/c/ede69b8f6670600e534591664584f810d7c385f9"
},
{
"url": "https://git.kernel.org/stable/c/c68517a3e18e20997808821c5559d0cba4d776c1"
},
{
"url": "https://git.kernel.org/stable/c/5d39580f68e6ddeedd15e587282207489dfb3da2"
}
],
"title": "tcp: restrict SO_ATTACH_FILTER to priv users",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53236",
"datePublished": "2026-06-25T08:39:33.170Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-25T08:39:33.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53146 (GCVE-0-2026-53146)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
thunderbolt: Limit XDomain response copy to actual frame size
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Limit XDomain response copy to actual frame size
tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size. When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.
Use the minimum of frame size and expected response size for the
copy length.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < c55da494dfb445fb28df3a9d293c2be6a299cd01
(git)
Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 7720654b4842bcdfeb64bc002f6186041849e1e7 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 033dfa63bf6be2653441a1dccae4a8313a91bb9d (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < fc261397295b8ad0654cec747b0ec25ea0011995 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < b5daa920f44cb582272fc9bfaeb67408776cbaef (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c55da494dfb445fb28df3a9d293c2be6a299cd01",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "7720654b4842bcdfeb64bc002f6186041849e1e7",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "033dfa63bf6be2653441a1dccae4a8313a91bb9d",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "fc261397295b8ad0654cec747b0ec25ea0011995",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "b5daa920f44cb582272fc9bfaeb67408776cbaef",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Limit XDomain response copy to actual frame size\n\ntb_xdomain_copy() copies req-\u003eresponse_size bytes from the received\npacket buffer regardless of the actual frame size. When a short\nresponse arrives, this reads past the valid frame data in the DMA\npool buffer into stale contents from previous transactions.\n\nUse the minimum of frame size and expected response size for the\ncopy length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:30.867Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c55da494dfb445fb28df3a9d293c2be6a299cd01"
},
{
"url": "https://git.kernel.org/stable/c/7720654b4842bcdfeb64bc002f6186041849e1e7"
},
{
"url": "https://git.kernel.org/stable/c/033dfa63bf6be2653441a1dccae4a8313a91bb9d"
},
{
"url": "https://git.kernel.org/stable/c/fc261397295b8ad0654cec747b0ec25ea0011995"
},
{
"url": "https://git.kernel.org/stable/c/a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb"
},
{
"url": "https://git.kernel.org/stable/c/b5daa920f44cb582272fc9bfaeb67408776cbaef"
},
{
"url": "https://git.kernel.org/stable/c/b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4"
},
{
"url": "https://git.kernel.org/stable/c/4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb"
}
],
"title": "thunderbolt: Limit XDomain response copy to actual frame size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53146",
"datePublished": "2026-06-25T08:38:32.877Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-28T06:39:30.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53238 (GCVE-0-2026-53238)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
netlabel: validate unlabeled address and mask attribute lengths
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlabel: validate unlabeled address and mask attribute lengths
netlbl_unlabel_addrinfo_get() used the address attribute length to
determine whether the attribute data could be read as an IPv4 or IPv6
address, but did not independently validate the corresponding mask
attribute length. A crafted Generic Netlink request could therefore
provide a valid IPv4/IPv6 address attribute with a shorter mask
attribute, which would later be read as a full struct in_addr or
struct in6_addr.
NLA_BINARY policy lengths are maximum lengths by default, so use
NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask
attributes. This rejects short attributes during policy validation and
also exposes the exact length requirements through policy introspection.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 975a84fd741440853380d37465b6e226cf47254c
(git)
Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 672f0f3b8f875ffe6525a37847eafa7648c4c0c6 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 95bda3eac0b1454c2cee98d58d9ba6dd8391e843 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 07a18f5c90dd3d586b73242f5a5bbf0a72f2fdc6 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 71c52da13c3737493b42d20d9f33de34e03b3156 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 0c4bb32ad7fdc2dc6a8050f41eb04d4bda56b6c8 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < ccfe292a966079c61ea68a2da303b2a336170993 (git) Affected: 8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd , < 9772589b57e44aedc240211c5c3f7a684a034d3a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlabel/netlabel_unlabeled.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "975a84fd741440853380d37465b6e226cf47254c",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "672f0f3b8f875ffe6525a37847eafa7648c4c0c6",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "95bda3eac0b1454c2cee98d58d9ba6dd8391e843",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "07a18f5c90dd3d586b73242f5a5bbf0a72f2fdc6",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "71c52da13c3737493b42d20d9f33de34e03b3156",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "0c4bb32ad7fdc2dc6a8050f41eb04d4bda56b6c8",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "ccfe292a966079c61ea68a2da303b2a336170993",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
},
{
"lessThan": "9772589b57e44aedc240211c5c3f7a684a034d3a",
"status": "affected",
"version": "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlabel/netlabel_unlabeled.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: validate unlabeled address and mask attribute lengths\n\nnetlbl_unlabel_addrinfo_get() used the address attribute length to\ndetermine whether the attribute data could be read as an IPv4 or IPv6\naddress, but did not independently validate the corresponding mask\nattribute length. A crafted Generic Netlink request could therefore\nprovide a valid IPv4/IPv6 address attribute with a shorter mask\nattribute, which would later be read as a full struct in_addr or\nstruct in6_addr.\n\nNLA_BINARY policy lengths are maximum lengths by default, so use\nNLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask\nattributes. This rejects short attributes during policy validation and\nalso exposes the exact length requirements through policy introspection."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:34.492Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/975a84fd741440853380d37465b6e226cf47254c"
},
{
"url": "https://git.kernel.org/stable/c/672f0f3b8f875ffe6525a37847eafa7648c4c0c6"
},
{
"url": "https://git.kernel.org/stable/c/95bda3eac0b1454c2cee98d58d9ba6dd8391e843"
},
{
"url": "https://git.kernel.org/stable/c/07a18f5c90dd3d586b73242f5a5bbf0a72f2fdc6"
},
{
"url": "https://git.kernel.org/stable/c/71c52da13c3737493b42d20d9f33de34e03b3156"
},
{
"url": "https://git.kernel.org/stable/c/0c4bb32ad7fdc2dc6a8050f41eb04d4bda56b6c8"
},
{
"url": "https://git.kernel.org/stable/c/ccfe292a966079c61ea68a2da303b2a336170993"
},
{
"url": "https://git.kernel.org/stable/c/9772589b57e44aedc240211c5c3f7a684a034d3a"
}
],
"title": "netlabel: validate unlabeled address and mask attribute lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53238",
"datePublished": "2026-06-25T08:39:34.492Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-25T08:39:34.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53218 (GCVE-0-2026-53218)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
(git)
Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 19748967d59c31d24d21d40b728570788310b237 (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 46fc15a044e9938e7ea77786fb37edd2cd74f031 (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < cd513e43b4b2bd1de39e2367bc4261c699a8652f (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 67b27434c43b68a97becda98c9f0c8cf6cba2134 (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 78069a6d8bc86c9e036eb82c2af4a19cc1871a53 (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265 (git) Affected: c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783 , < 772cecf198da732faebb5dcfc46d66a505be8495 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_exthdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "19748967d59c31d24d21d40b728570788310b237",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "46fc15a044e9938e7ea77786fb37edd2cd74f031",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "cd513e43b4b2bd1de39e2367bc4261c699a8652f",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "67b27434c43b68a97becda98c9f0c8cf6cba2134",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "78069a6d8bc86c9e036eb82c2af4a19cc1871a53",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
},
{
"lessThan": "772cecf198da732faebb5dcfc46d66a505be8495",
"status": "affected",
"version": "c078ca3b0c5bf82c2b31906c446d6e2ad8ea0783",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_exthdr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv-\u003elen to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest = 0 on TCP/DCCP error path). When len \u003e 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:21.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6"
},
{
"url": "https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237"
},
{
"url": "https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031"
},
{
"url": "https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f"
},
{
"url": "https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134"
},
{
"url": "https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53"
},
{
"url": "https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265"
},
{
"url": "https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495"
}
],
"title": "netfilter: nft_exthdr: fix register tracking for F_PRESENT flag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53218",
"datePublished": "2026-06-25T08:39:21.069Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-25T08:39:21.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53213 (GCVE-0-2026-53213)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
drm/vc4: fix krealloc() memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vc4: fix krealloc() memory leak
Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:
MEM = krealloc(MEM, SZ, GFP);
If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:
TMP = krealloc(MEM, SZ, GFP);
if (!TMP) return;
MEM = TMP;
While on it, use krealloc_array().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d45c81d229d71da54d374143e7d6abad4c0cf31 , < 30165a09f76eaf34951c818eb5d9d6e4771d76f6
(git)
Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < fd87d6966041e33ef7d2e5dc59f9a52b71c6ae5f (git) Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < e0ce103e89d61eef70edc1d1ae3bfd4c0aacbc2e (git) Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < c034aa0b1ba5f49cbdf8ef193d6ec714d74aac27 (git) Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < 02f5e4db57c0cdd7bac89d503b301a093a0fa95c (git) Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < 4fc692dc6df5bc777cc1bcebf95179e28594875f (git) Affected: 6d45c81d229d71da54d374143e7d6abad4c0cf31 , < 5d563a5da8717629ae72f9eadf1e0e340bd1658b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vc4/vc4_validate_shaders.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30165a09f76eaf34951c818eb5d9d6e4771d76f6",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "fd87d6966041e33ef7d2e5dc59f9a52b71c6ae5f",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "e0ce103e89d61eef70edc1d1ae3bfd4c0aacbc2e",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "c034aa0b1ba5f49cbdf8ef193d6ec714d74aac27",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "02f5e4db57c0cdd7bac89d503b301a093a0fa95c",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "4fc692dc6df5bc777cc1bcebf95179e28594875f",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
},
{
"lessThan": "5d563a5da8717629ae72f9eadf1e0e340bd1658b",
"status": "affected",
"version": "6d45c81d229d71da54d374143e7d6abad4c0cf31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vc4/vc4_validate_shaders.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: fix krealloc() memory leak\n\nDon\u0027t just overwrite the original pointer passed to krealloc()\nwith its return value without checking latter:\n\n MEM = krealloc(MEM, SZ, GFP);\n\nIf krealloc() returns NULL, that erases the pointer\nto the still allocated memory, hence leaks this memory.\nInstead, use a temporary variable, check it\u0027s not NULL\nand only then assign it to the original pointer:\n\n TMP = krealloc(MEM, SZ, GFP);\n if (!TMP) return;\n MEM = TMP;\n\nWhile on it, use krealloc_array()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:17.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30165a09f76eaf34951c818eb5d9d6e4771d76f6"
},
{
"url": "https://git.kernel.org/stable/c/fd87d6966041e33ef7d2e5dc59f9a52b71c6ae5f"
},
{
"url": "https://git.kernel.org/stable/c/e0ce103e89d61eef70edc1d1ae3bfd4c0aacbc2e"
},
{
"url": "https://git.kernel.org/stable/c/c034aa0b1ba5f49cbdf8ef193d6ec714d74aac27"
},
{
"url": "https://git.kernel.org/stable/c/02f5e4db57c0cdd7bac89d503b301a093a0fa95c"
},
{
"url": "https://git.kernel.org/stable/c/4fc692dc6df5bc777cc1bcebf95179e28594875f"
},
{
"url": "https://git.kernel.org/stable/c/5d563a5da8717629ae72f9eadf1e0e340bd1658b"
}
],
"title": "drm/vc4: fix krealloc() memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53213",
"datePublished": "2026-06-25T08:39:17.552Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-25T08:39:17.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53182 (GCVE-0-2026-53182)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
wifi: nl80211: reject oversized EMA RNR lists
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: nl80211: reject oversized EMA RNR lists
nl80211_parse_rnr_elems() stores the parsed element count in a
u8-backed cfg80211_rnr_elems::cnt field and uses that count to size
the flexible array allocation.
Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches
255, before incrementing it again. This keeps the parser aligned with
the data structure it fills and matches the existing bound check used
by nl80211_parse_mbssid_elems().
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
56189d7bc30531def6b999f27940ee43c6ff2569 , < fc0ec2fc02dfe52c5821f36fbccf6a45df43f508
(git)
Affected: dbbb27e183b1568d5a907ace1cd144b0709ea52a , < 688fcac7054abc680c0eef753f2bb772cfaf8cf7 (git) Affected: dbbb27e183b1568d5a907ace1cd144b0709ea52a , < 30c3fa80f423613efdda3deca4af52ff7d20e4e2 (git) Affected: dbbb27e183b1568d5a907ace1cd144b0709ea52a , < 265c07c09c837621730d35f02975207a1224bf05 (git) Affected: dbbb27e183b1568d5a907ace1cd144b0709ea52a , < ecbf3c45add30a0857414e156bdb9c79906f0ff6 (git) Affected: dbbb27e183b1568d5a907ace1cd144b0709ea52a , < 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 (git) Affected: 6.1.160 , < 6.1.176 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc0ec2fc02dfe52c5821f36fbccf6a45df43f508",
"status": "affected",
"version": "56189d7bc30531def6b999f27940ee43c6ff2569",
"versionType": "git"
},
{
"lessThan": "688fcac7054abc680c0eef753f2bb772cfaf8cf7",
"status": "affected",
"version": "dbbb27e183b1568d5a907ace1cd144b0709ea52a",
"versionType": "git"
},
{
"lessThan": "30c3fa80f423613efdda3deca4af52ff7d20e4e2",
"status": "affected",
"version": "dbbb27e183b1568d5a907ace1cd144b0709ea52a",
"versionType": "git"
},
{
"lessThan": "265c07c09c837621730d35f02975207a1224bf05",
"status": "affected",
"version": "dbbb27e183b1568d5a907ace1cd144b0709ea52a",
"versionType": "git"
},
{
"lessThan": "ecbf3c45add30a0857414e156bdb9c79906f0ff6",
"status": "affected",
"version": "dbbb27e183b1568d5a907ace1cd144b0709ea52a",
"versionType": "git"
},
{
"lessThan": "4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1",
"status": "affected",
"version": "dbbb27e183b1568d5a907ace1cd144b0709ea52a",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject oversized EMA RNR lists\n\nnl80211_parse_rnr_elems() stores the parsed element count in a\nu8-backed cfg80211_rnr_elems::cnt field and uses that count to size\nthe flexible array allocation.\n\nReject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches\n255, before incrementing it again. This keeps the parser aligned with\nthe data structure it fills and matches the existing bound check used\nby nl80211_parse_mbssid_elems()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:55.496Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc0ec2fc02dfe52c5821f36fbccf6a45df43f508"
},
{
"url": "https://git.kernel.org/stable/c/688fcac7054abc680c0eef753f2bb772cfaf8cf7"
},
{
"url": "https://git.kernel.org/stable/c/30c3fa80f423613efdda3deca4af52ff7d20e4e2"
},
{
"url": "https://git.kernel.org/stable/c/265c07c09c837621730d35f02975207a1224bf05"
},
{
"url": "https://git.kernel.org/stable/c/ecbf3c45add30a0857414e156bdb9c79906f0ff6"
},
{
"url": "https://git.kernel.org/stable/c/4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1"
}
],
"title": "wifi: nl80211: reject oversized EMA RNR lists",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53182",
"datePublished": "2026-06-25T08:38:56.654Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-28T06:39:55.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53199 (GCVE-0-2026-53199)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
Summary
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:
- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 16514afeb7d3d121072ba9a0b640d6c1c5507db0
(git)
Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < a82d4251918f37d9c5aab7b365157669fb885ec3 (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 695c59cf7bf707e6ff8cea01916ee50e86616933 (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 09b8a7aa5a341bb345dc492aac139525efa13515 (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 918c0c988239aa5ab96b254e504d191af6191061 (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 0b38870d81ab3a04c1ab0598d9d3285f5d9d0584 (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < fe7221b4346418d27ec2daccfc09df6692b76f0b (git) Affected: c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e , < 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/netvsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16514afeb7d3d121072ba9a0b640d6c1c5507db0",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "a82d4251918f37d9c5aab7b365157669fb885ec3",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "695c59cf7bf707e6ff8cea01916ee50e86616933",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "09b8a7aa5a341bb345dc492aac139525efa13515",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "918c0c988239aa5ab96b254e504d191af6191061",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "0b38870d81ab3a04c1ab0598d9d3285f5d9d0584",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "fe7221b4346418d27ec2daccfc09df6692b76f0b",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
},
{
"lessThan": "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af",
"status": "affected",
"version": "c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/hyperv/netvsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc\u0027d memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n not a native PFN. Reconstruct the physical address first and derive\n the native page from it, so the mapping stays correct where\n PAGE_SIZE \u003e HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n grouping in the page buffer array\"), an entry describes a full\n physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n while kmap_local_page() maps a single page. Copy page by page,\n splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:16.838Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0"
},
{
"url": "https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3"
},
{
"url": "https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933"
},
{
"url": "https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515"
},
{
"url": "https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061"
},
{
"url": "https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584"
},
{
"url": "https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b"
},
{
"url": "https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af"
}
],
"title": "hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53199",
"datePublished": "2026-06-25T08:39:08.320Z",
"dateReserved": "2026-06-09T07:44:35.391Z",
"dateUpdated": "2026-06-28T06:40:16.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53158 (GCVE-0-2026-53158)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
pc : _raw_spin_lock_irqsave+0x34/0x8c
lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
...
Call trace:
_raw_spin_lock_irqsave+0x34/0x8c (P)
fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
qcom_glink_native_rx+0x538/0x6a4
qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.
There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.
Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f6f9279f2bf0e37e2f1fb119d8832b8568536a04 , < 8fb4a23df5b7c02929b62e5dbc270ec7c42b8134
(git)
Affected: f6f9279f2bf0e37e2f1fb119d8832b8568536a04 , < 4bfdf0a9855df55e9e031ca6a25b855820590c70 (git) Affected: f6f9279f2bf0e37e2f1fb119d8832b8568536a04 , < d5de9cb5355db36438edc621dde3673e3f235767 (git) Affected: f6f9279f2bf0e37e2f1fb119d8832b8568536a04 , < d77583ca33299fede0c194744ef2284e7ba5b763 (git) Affected: f6f9279f2bf0e37e2f1fb119d8832b8568536a04 , < 5401fb4fe10fac6134c308495df18ed74aebb9c4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fb4a23df5b7c02929b62e5dbc270ec7c42b8134",
"status": "affected",
"version": "f6f9279f2bf0e37e2f1fb119d8832b8568536a04",
"versionType": "git"
},
{
"lessThan": "4bfdf0a9855df55e9e031ca6a25b855820590c70",
"status": "affected",
"version": "f6f9279f2bf0e37e2f1fb119d8832b8568536a04",
"versionType": "git"
},
{
"lessThan": "d5de9cb5355db36438edc621dde3673e3f235767",
"status": "affected",
"version": "f6f9279f2bf0e37e2f1fb119d8832b8568536a04",
"versionType": "git"
},
{
"lessThan": "d77583ca33299fede0c194744ef2284e7ba5b763",
"status": "affected",
"version": "f6f9279f2bf0e37e2f1fb119d8832b8568536a04",
"versionType": "git"
},
{
"lessThan": "5401fb4fe10fac6134c308495df18ed74aebb9c4",
"status": "affected",
"version": "f6f9279f2bf0e37e2f1fb119d8832b8568536a04",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix NULL pointer dereference in rpmsg callback\n\nA NULL pointer dereference was observed on Hawi at boot when the DSP\nsends a glink message before fastrpc_rpmsg_probe() has completed\ninitialization:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178\n pc : _raw_spin_lock_irqsave+0x34/0x8c\n lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]\n ...\n Call trace:\n _raw_spin_lock_irqsave+0x34/0x8c (P)\n fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]\n qcom_glink_native_rx+0x538/0x6a4\n qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]\n\nThe faulting address 0x178 corresponds to the lock variable inside\nstruct fastrpc_channel_ctx, confirming that cctx is NULL when\nfastrpc_rpmsg_callback() attempts to take the spinlock.\n\nThere are two issues here. First, dev_set_drvdata() is called before\nspin_lock_init() and idr_init(), leaving a window where the callback\ncan retrieve a valid cctx pointer but operate on an uninitialized\nspinlock. Second, the rpmsg channel becomes live as soon as the driver\nis bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()\nis called at all, resulting in dev_get_drvdata() returning NULL.\n\nFix both issues by moving all cctx initialization ahead of\ndev_set_drvdata() so the structure is fully initialized before it\nbecomes visible to the callback, and add a NULL check in\nfastrpc_rpmsg_callback() as a guard against any remaining window."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:40.818Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fb4a23df5b7c02929b62e5dbc270ec7c42b8134"
},
{
"url": "https://git.kernel.org/stable/c/4bfdf0a9855df55e9e031ca6a25b855820590c70"
},
{
"url": "https://git.kernel.org/stable/c/d5de9cb5355db36438edc621dde3673e3f235767"
},
{
"url": "https://git.kernel.org/stable/c/d77583ca33299fede0c194744ef2284e7ba5b763"
},
{
"url": "https://git.kernel.org/stable/c/5401fb4fe10fac6134c308495df18ed74aebb9c4"
}
],
"title": "misc: fastrpc: Fix NULL pointer dereference in rpmsg callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53158",
"datePublished": "2026-06-25T08:38:40.818Z",
"dateReserved": "2026-06-09T07:44:35.388Z",
"dateUpdated": "2026-06-25T08:38:40.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53217 (GCVE-0-2026-53217)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
net: mvpp2: sync RX data at the hardware packet offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: sync RX data at the hardware packet offset
mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.
On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.
Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e1921168bbd4810de4197446e52f652cd0dd9541 , < 60412bdd1b2576659eac23a23d2d9ff96228a643
(git)
Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < 19f8bc139e9b149d1e5bf75ae761d1bb8dd3e7d8 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < a3ad9b5767c89531fc7dae951b51b0933dcf7051 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < bede0f481b9137d73d1cf64309cbe4b94818a5d6 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < 23548007b3c66d628fc7d6b80d1e23be04ea10d9 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < a13199fa224e9f776f4005d5037df03aa9ea8f37 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < e302206ad84a407a7e5f3f6fe767ff5efaace689 (git) Affected: e1921168bbd4810de4197446e52f652cd0dd9541 , < 180235600934bef6add3be637c296d6cf3272e67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60412bdd1b2576659eac23a23d2d9ff96228a643",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "19f8bc139e9b149d1e5bf75ae761d1bb8dd3e7d8",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "a3ad9b5767c89531fc7dae951b51b0933dcf7051",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "bede0f481b9137d73d1cf64309cbe4b94818a5d6",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "23548007b3c66d628fc7d6b80d1e23be04ea10d9",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "a13199fa224e9f776f4005d5037df03aa9ea8f37",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "e302206ad84a407a7e5f3f6fe767ff5efaace689",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
},
{
"lessThan": "180235600934bef6add3be637c296d6cf3272e67",
"status": "affected",
"version": "e1921168bbd4810de4197446e52f652cd0dd9541",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: sync RX data at the hardware packet offset\n\nmvpp2 programs the RX queue packet offset, so hardware writes received\ndata at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at\ndma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the\nunused headroom and misses the same number of bytes at the packet tail.\n\nOn non-coherent DMA systems this can leave the CPU reading stale cache\ncontents for the end of the received frame.\n\nUse dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range\noffset so the sync covers the Marvell header and packet data actually\nwritten by hardware."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:31.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60412bdd1b2576659eac23a23d2d9ff96228a643"
},
{
"url": "https://git.kernel.org/stable/c/19f8bc139e9b149d1e5bf75ae761d1bb8dd3e7d8"
},
{
"url": "https://git.kernel.org/stable/c/a3ad9b5767c89531fc7dae951b51b0933dcf7051"
},
{
"url": "https://git.kernel.org/stable/c/bede0f481b9137d73d1cf64309cbe4b94818a5d6"
},
{
"url": "https://git.kernel.org/stable/c/23548007b3c66d628fc7d6b80d1e23be04ea10d9"
},
{
"url": "https://git.kernel.org/stable/c/a13199fa224e9f776f4005d5037df03aa9ea8f37"
},
{
"url": "https://git.kernel.org/stable/c/e302206ad84a407a7e5f3f6fe767ff5efaace689"
},
{
"url": "https://git.kernel.org/stable/c/180235600934bef6add3be637c296d6cf3272e67"
}
],
"title": "net: mvpp2: sync RX data at the hardware packet offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53217",
"datePublished": "2026-06-25T08:39:20.186Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-28T06:40:31.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53147 (GCVE-0-2026-53147)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
thunderbolt: Validate XDomain request packet size before type cast
Summary
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Validate XDomain request packet size before type cast
tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type. A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.
Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < a770e62923090d7572f1f5a8507ae551d354a057
(git)
Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 0dd61ba03d05187726ecdf9c0e2175a81b9b24f6 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 79235c8add5da4bf27a12f5a5dbb579f300c059e (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 46da5c3ea011e884028a91cf913db093920a915b (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < 07cd2787cdf8942d24a1a3ef81aa89b526fb6381 (git) Affected: cdae7c07e3e3509eaabc18c1640a55dc5b99c179 , < a504b9f2797b739e0304d537e8aa4ce883ecce39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a770e62923090d7572f1f5a8507ae551d354a057",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "0dd61ba03d05187726ecdf9c0e2175a81b9b24f6",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "79235c8add5da4bf27a12f5a5dbb579f300c059e",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "46da5c3ea011e884028a91cf913db093920a915b",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "07cd2787cdf8942d24a1a3ef81aa89b526fb6381",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
},
{
"lessThan": "a504b9f2797b739e0304d537e8aa4ce883ecce39",
"status": "affected",
"version": "cdae7c07e3e3509eaabc18c1640a55dc5b99c179",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thunderbolt/xdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Validate XDomain request packet size before type cast\n\ntb_xdp_handle_request() casts the received packet buffer to\nprotocol-specific structs without verifying that the allocation\nis large enough for the target type. A peer can send a minimal\nXDomain packet that passes the generic header length check but is\nshorter than the struct accessed after the cast, causing out-of-\nbounds reads from the kmemdup allocation.\n\nPlumb the packet length through xdomain_request_work and validate\nit against the expected struct size before each cast."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:32.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057"
},
{
"url": "https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6"
},
{
"url": "https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e"
},
{
"url": "https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b"
},
{
"url": "https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381"
},
{
"url": "https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39"
}
],
"title": "thunderbolt: Validate XDomain request packet size before type cast",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53147",
"datePublished": "2026-06-25T08:38:33.547Z",
"dateReserved": "2026-06-09T07:44:35.387Z",
"dateUpdated": "2026-06-28T06:39:32.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52916 (GCVE-0-2026-52916)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
batman-adv: frag: disallow unicast fragment in fragment
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: frag: disallow unicast fragment in fragment
batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.
A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.
Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
610bfc6bc99bc83680d190ebc69359a05fc7f605 , < 0c208fa3859e3a33a1c38bebc41d021166e94ac8
(git)
Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < bcda4814dc6524283c0b958882cb963d75fe411d (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < aea54d0bbe156d5ab7d00d68f66149ff41f4612a (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < b54e459cf86943583c1aa2ee3081874e7ab1f5f3 (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < 5418be6c2e117bf8a316582795a8e3ff90f45e5d (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < 5895ad21c7059a652da83fb817510f7a1e962abf (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < 7138c35c9ad39a2fca6264af6b87466471f04ffc (git) Affected: 610bfc6bc99bc83680d190ebc69359a05fc7f605 , < bc62216dc8e221e3781afa14430f45208bfa9af9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/fragmentation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c208fa3859e3a33a1c38bebc41d021166e94ac8",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "bcda4814dc6524283c0b958882cb963d75fe411d",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "aea54d0bbe156d5ab7d00d68f66149ff41f4612a",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "b54e459cf86943583c1aa2ee3081874e7ab1f5f3",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "5418be6c2e117bf8a316582795a8e3ff90f45e5d",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "5895ad21c7059a652da83fb817510f7a1e962abf",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "7138c35c9ad39a2fca6264af6b87466471f04ffc",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
},
{
"lessThan": "bc62216dc8e221e3781afa14430f45208bfa9af9",
"status": "affected",
"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/fragmentation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: frag: disallow unicast fragment in fragment\n\nbatadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a\nBATADV_UNICAST_FRAG packet is received. Once all fragments are collected\nand the packet is reassembled, batadv_recv_frag_packet() calls\nbatadv_batman_skb_recv() again to process the defragmented payload.\n\nA malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled\npayload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).\nEach nesting level recurses through batadv_batman_skb_recv() without bound,\ngrowing the kernel stack until it is exhausted.\n\nSince refragmentation or fragments in fragments are not actually allowed,\ndiscard all packets which are still BATADV_UNICAST_FRAG packets after the\ndefragmentation process."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:13.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8"
},
{
"url": "https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d"
},
{
"url": "https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a"
},
{
"url": "https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3"
},
{
"url": "https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d"
},
{
"url": "https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf"
},
{
"url": "https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc"
},
{
"url": "https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9"
}
],
"title": "batman-adv: frag: disallow unicast fragment in fragment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52916",
"datePublished": "2026-06-24T07:14:13.221Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-24T07:14:13.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53230 (GCVE-0-2026-53230)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
mlx5_query_nic_vport_mac_list() sizes its firmware command buffer using
the PF's log_max_current_uc/mc_list capabilities. When querying a VF
vport with a larger configured max (via devlink), the firmware response
can overflow this buffer:
BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]
Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385
CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
Call Trace:
<TASK>
dump_stack_lvl+0x69/0xa0
print_report+0x176/0x4e4
kasan_report+0xc8/0x100
mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]
esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core]
esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core]
esw_vport_change_handler+0x6a/0x90 [mlx5_core]
process_one_work+0x87f/0x15e0
worker_thread+0x62b/0x1020
kthread+0x375/0x490
ret_from_fork+0x4dc/0x810
ret_from_fork_asm+0x11/0x20
</TASK>
Fix by querying the vport's own HCA caps to size the buffer correctly.
Refactor the function to allocate and return the MAC list internally,
removing the caller's dependency on knowing the correct max.
Severity ?
8.7 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e16aea2744abea612c27ee0eef606c6a6a8204de , < 41781f2789309462520a93822e946521ed78f97f
(git)
Affected: e16aea2744abea612c27ee0eef606c6a6a8204de , < 537d87784e81c3d7037525b99416455cee088cdc (git) Affected: e16aea2744abea612c27ee0eef606c6a6a8204de , < 0f807764bb122fd63aa45f4229cb1ef2679fbd40 (git) Affected: e16aea2744abea612c27ee0eef606c6a6a8204de , < 2398e497389ed4be43f7cfbab499b49cec7dae1a (git) Affected: e16aea2744abea612c27ee0eef606c6a6a8204de , < 894e036a24a26a6dd7b17d8d3fb5c53ab48a6074 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/vport.c",
"include/linux/mlx5/vport.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41781f2789309462520a93822e946521ed78f97f",
"status": "affected",
"version": "e16aea2744abea612c27ee0eef606c6a6a8204de",
"versionType": "git"
},
{
"lessThan": "537d87784e81c3d7037525b99416455cee088cdc",
"status": "affected",
"version": "e16aea2744abea612c27ee0eef606c6a6a8204de",
"versionType": "git"
},
{
"lessThan": "0f807764bb122fd63aa45f4229cb1ef2679fbd40",
"status": "affected",
"version": "e16aea2744abea612c27ee0eef606c6a6a8204de",
"versionType": "git"
},
{
"lessThan": "2398e497389ed4be43f7cfbab499b49cec7dae1a",
"status": "affected",
"version": "e16aea2744abea612c27ee0eef606c6a6a8204de",
"versionType": "git"
},
{
"lessThan": "894e036a24a26a6dd7b17d8d3fb5c53ab48a6074",
"status": "affected",
"version": "e16aea2744abea612c27ee0eef606c6a6a8204de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/vport.c",
"include/linux/mlx5/vport.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list\n\nmlx5_query_nic_vport_mac_list() sizes its firmware command buffer using\nthe PF\u0027s log_max_current_uc/mc_list capabilities. When querying a VF\nvport with a larger configured max (via devlink), the firmware response\ncan overflow this buffer:\n\n BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]\n Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385\n\n CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x69/0xa0\n print_report+0x176/0x4e4\n kasan_report+0xc8/0x100\n mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]\n esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core]\n esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core]\n esw_vport_change_handler+0x6a/0x90 [mlx5_core]\n process_one_work+0x87f/0x15e0\n worker_thread+0x62b/0x1020\n kthread+0x375/0x490\n ret_from_fork+0x4dc/0x810\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nFix by querying the vport\u0027s own HCA caps to size the buffer correctly.\nRefactor the function to allocate and return the MAC list internally,\nremoving the caller\u0027s dependency on knowing the correct max."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:41.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41781f2789309462520a93822e946521ed78f97f"
},
{
"url": "https://git.kernel.org/stable/c/537d87784e81c3d7037525b99416455cee088cdc"
},
{
"url": "https://git.kernel.org/stable/c/0f807764bb122fd63aa45f4229cb1ef2679fbd40"
},
{
"url": "https://git.kernel.org/stable/c/2398e497389ed4be43f7cfbab499b49cec7dae1a"
},
{
"url": "https://git.kernel.org/stable/c/894e036a24a26a6dd7b17d8d3fb5c53ab48a6074"
}
],
"title": "net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53230",
"datePublished": "2026-06-25T08:39:29.210Z",
"dateReserved": "2026-06-09T07:44:35.393Z",
"dateUpdated": "2026-06-28T06:40:41.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53225 (GCVE-0-2026-53225)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df21857714398acb8b24a8bb5a6d2286dd9c59ef , < 446e0ecd845abc394b24ae2030a883572bec9d16
(git)
Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < 928dd94db23e8ba340f83d68f7f24d831b7a4426 (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < d796cfd06074b579d265b28401306cadd30db945 (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < 8ce96f1182644079249a24ac7e2ffc32e0301a46 (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < d6bd0bb7697ea8c0387b0d9d973453f479017b23 (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < f76a8b323e28e0951f979dbef20a7496383c47df (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < 8e86817b8af4d552f3c6fe04ca52bb0c8c57411d (git) Affected: df21857714398acb8b24a8bb5a6d2286dd9c59ef , < f8373d7090b745728de66308deeecc67e8d319ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "446e0ecd845abc394b24ae2030a883572bec9d16",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "928dd94db23e8ba340f83d68f7f24d831b7a4426",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "d796cfd06074b579d265b28401306cadd30db945",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "8ce96f1182644079249a24ac7e2ffc32e0301a46",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "d6bd0bb7697ea8c0387b0d9d973453f479017b23",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "f76a8b323e28e0951f979dbef20a7496383c47df",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "8e86817b8af4d552f3c6fe04ca52bb0c8c57411d",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
},
{
"lessThan": "f8373d7090b745728de66308deeecc67e8d319ce",
"status": "affected",
"version": "df21857714398acb8b24a8bb5a6d2286dd9c59ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf-\u003efrom_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter\u0027s declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops after the 4-byte parameter\nheader; reached from the no-association lookup path, from_addr_param() then\nreads uninitialized bytes past the parameter.\n\nImpact: an unauthenticated SCTP peer makes the receive path read up to 16\nbytes of uninitialized memory past a truncated ASCONF address parameter.\n\nThe sibling __sctp_rcv_init_lookup() bounds parameters with\nsctp_walk_params(); this path open-codes the fetch and omits the bound.\nVerify the whole address parameter lies within the chunk before\nfrom_addr_param() reads it, the same class of fix as commit 51e5ad549c43\n(\"net: sctp: fix KMSAN uninit-value in sctp_inq_pop\")."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:37.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16"
},
{
"url": "https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426"
},
{
"url": "https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945"
},
{
"url": "https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46"
},
{
"url": "https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23"
},
{
"url": "https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df"
},
{
"url": "https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d"
},
{
"url": "https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce"
}
],
"title": "sctp: fix uninit-value in __sctp_rcv_asconf_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53225",
"datePublished": "2026-06-25T08:39:25.911Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-28T06:40:37.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53181 (GCVE-0-2026-53181)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-25 08:38
VLAI?
EPSS
Title
vsock/vmci: fix sk_ack_backlog leak on failed handshake
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/vmci: fix sk_ack_backlog leak on failed handshake
When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.
Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.
The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().
Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d021c344051af91f42c5ba9fdedc176740cbd238 , < 22c587aa3ab1ab5264daff3ec32136fd30436c13
(git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < cf7090e255d74c4b61c51f8ede9fcacdd8393b5b (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ea0b03d52881c12a8c634ea0d6cbfa61cefdb488 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < dfd853197615d322d3a88dbcab91fc0fd2096219 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < bcb275626055df7f8f947f1a349754b4004d9a15 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ba9ad6015937a5e46ba1a31370e3efdec8abbdcc (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 9698582a4dd9c4a05889d7db96d4c0edc9e69cac (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < c05fa14db43ebef3bd862ca9d073981c0358b3f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/vmci_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22c587aa3ab1ab5264daff3ec32136fd30436c13",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "cf7090e255d74c4b61c51f8ede9fcacdd8393b5b",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "ea0b03d52881c12a8c634ea0d6cbfa61cefdb488",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "dfd853197615d322d3a88dbcab91fc0fd2096219",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "bcb275626055df7f8f947f1a349754b4004d9a15",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "ba9ad6015937a5e46ba1a31370e3efdec8abbdcc",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "9698582a4dd9c4a05889d7db96d4c0edc9e69cac",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "c05fa14db43ebef3bd862ca9d073981c0358b3f0",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/vmci_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/vmci: fix sk_ack_backlog leak on failed handshake\n\nWhen vmci_transport_recv_connecting_server() returns an error,\nvmci_transport_recv_listen() calls vsock_remove_pending() but never\ncalls sk_acceptq_removed(). This leaves sk_ack_backlog incremented\npermanently.\n\nRepeated handshake failures (malformed packets, queue pair alloc\nfailure, event subscribe failure) cause sk_ack_backlog to climb\ntoward sk_max_ack_backlog. Once it reaches the limit the listener\npermanently refuses all new connections with -ECONNREFUSED, a\nsilent denial of service requiring a process restart to recover.\n\nThe two existing sk_acceptq_removed() calls in af_vsock.c do not\ncover this path: line 764 checks vsock_is_pending() which returns\nfalse after vsock_remove_pending(), and line 1889 is only reached\non successful accept().\n\nFix by balancing sk_acceptq_added() with sk_acceptq_removed() on\nthe error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:38:55.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22c587aa3ab1ab5264daff3ec32136fd30436c13"
},
{
"url": "https://git.kernel.org/stable/c/cf7090e255d74c4b61c51f8ede9fcacdd8393b5b"
},
{
"url": "https://git.kernel.org/stable/c/ea0b03d52881c12a8c634ea0d6cbfa61cefdb488"
},
{
"url": "https://git.kernel.org/stable/c/dfd853197615d322d3a88dbcab91fc0fd2096219"
},
{
"url": "https://git.kernel.org/stable/c/bcb275626055df7f8f947f1a349754b4004d9a15"
},
{
"url": "https://git.kernel.org/stable/c/ba9ad6015937a5e46ba1a31370e3efdec8abbdcc"
},
{
"url": "https://git.kernel.org/stable/c/9698582a4dd9c4a05889d7db96d4c0edc9e69cac"
},
{
"url": "https://git.kernel.org/stable/c/c05fa14db43ebef3bd862ca9d073981c0358b3f0"
}
],
"title": "vsock/vmci: fix sk_ack_backlog leak on failed handshake",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53181",
"datePublished": "2026-06-25T08:38:55.994Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-25T08:38:55.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53219 (GCVE-0-2026-53219)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
netfilter: x_tables: avoid leaking percpu counter pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: avoid leaking percpu counter pointers
The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.
On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.
Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < b74ba3343eb44b2cbf7e9665918c287df1d52ebb
(git)
Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < 0b35dc8527ccc16b7dc34e8a3164313e68cd4e45 (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < b28e2fcad3db7e8687b15bc20bced26b5b7c920e (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < a0d16941adf3a501956d74aefd8d6e217906e79c (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < 8d67e42ad3b1a95a152541015a07110e06992d6c (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < 08a3e218064db11f154ad9ad5541751ea7f34ebe (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < fb0521aff1e10e300d89725cc439d3ea74c828c5 (git) Affected: 71ae0dff02d756e4d2ca710b79f2ff5390029a5f , < f7f2fbb0e893a0238dc464f8d8c0f5609bec584f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/ip_tables.c",
"net/ipv6/netfilter/ip6_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b74ba3343eb44b2cbf7e9665918c287df1d52ebb",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "0b35dc8527ccc16b7dc34e8a3164313e68cd4e45",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "b28e2fcad3db7e8687b15bc20bced26b5b7c920e",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "a0d16941adf3a501956d74aefd8d6e217906e79c",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "8d67e42ad3b1a95a152541015a07110e06992d6c",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "08a3e218064db11f154ad9ad5541751ea7f34ebe",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "fb0521aff1e10e300d89725cc439d3ea74c828c5",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
},
{
"lessThan": "f7f2fbb0e893a0238dc464f8d8c0f5609bec584f",
"status": "affected",
"version": "71ae0dff02d756e4d2ca710b79f2ff5390029a5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/ip_tables.c",
"net/ipv6/netfilter/ip6_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: avoid leaking percpu counter pointers\n\nThe native and compat get-entries paths copy the fixed rule entry header\nfrom the kernelized rule blob to userspace before overwriting the entry\u0027s\ncounter fields with a sanitized counter snapshot.\n\nOn SMP kernels, entry-\u003ecounters.pcnt contains the percpu allocation\naddress used by x_tables rule counters. A caller can provide a userspace\nbuffer that faults during the initial fixed-header copy after pcnt has\nbeen copied but before the later sanitized counter copy runs. The syscall\nthen returns -EFAULT while leaving the raw percpu pointer in userspace.\n\nCopy only the fixed entry prefix before counters from the kernelized rule\nblob, then copy the sanitized counter snapshot into the counter field.\nApply this ordering to the IPv4, IPv6, and ARP native and compat\nget-entries implementations so a fault cannot expose the internal percpu\ncounter pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:21.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b74ba3343eb44b2cbf7e9665918c287df1d52ebb"
},
{
"url": "https://git.kernel.org/stable/c/0b35dc8527ccc16b7dc34e8a3164313e68cd4e45"
},
{
"url": "https://git.kernel.org/stable/c/b28e2fcad3db7e8687b15bc20bced26b5b7c920e"
},
{
"url": "https://git.kernel.org/stable/c/a0d16941adf3a501956d74aefd8d6e217906e79c"
},
{
"url": "https://git.kernel.org/stable/c/8d67e42ad3b1a95a152541015a07110e06992d6c"
},
{
"url": "https://git.kernel.org/stable/c/08a3e218064db11f154ad9ad5541751ea7f34ebe"
},
{
"url": "https://git.kernel.org/stable/c/fb0521aff1e10e300d89725cc439d3ea74c828c5"
},
{
"url": "https://git.kernel.org/stable/c/f7f2fbb0e893a0238dc464f8d8c0f5609bec584f"
}
],
"title": "netfilter: x_tables: avoid leaking percpu counter pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53219",
"datePublished": "2026-06-25T08:39:21.730Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-25T08:39:21.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52923 (GCVE-0-2026-52923)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-30 12:09
VLAI?
EPSS
Title
ipc: limit next_id allocation to the valid ID range
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc: limit next_id allocation to the valid ID range
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
1. ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.
3. The new object id is still encoded with the narrower SysV IPC index
width:
new->id = (new->seq << ipcmni_seq_shift()) + idx
4. Later removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.
6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.
Severity ?
7.8 (High)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
03f595668017f1a1fb971c02fc37140bc6e7bb1c , < 3bbe2bb9111ce6967a951bfac79af142d816fae5
(git)
Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < 8c58a92849175f5e2ab7bc2734b3b89afe79f6ef (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < af24e202b543ded8a34f1d5d3db54eb916173f04 (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < 157ce2c6836ce0ff19108a819f38df061345425f (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < 41058d4c3f63ab64901560a704882e0565f4e456 (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < a3cc795129e5ec0f8948653a3bf471e7d8852f5e (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < bd4be70669af55b974860d13680348cfdf50bbed (git) Affected: 03f595668017f1a1fb971c02fc37140bc6e7bb1c , < fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel. The `ipc_idr_alloc()` function, used in the checkpoint/restore path for SysV Inter-Process Communication (IPC) ID allocation, does not properly limit ID allocation to the valid range. This can result in the system attempting to dereference freed memory, leading to a use-after-free vulnerability. This issue could potentially cause system instability or information disclosure."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:46.761Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-52923"
},
{
"name": "RHBZ#2492094",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492094"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: ipc: limit next_id allocation to the valid ID range",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"ipc/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3bbe2bb9111ce6967a951bfac79af142d816fae5",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "8c58a92849175f5e2ab7bc2734b3b89afe79f6ef",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "af24e202b543ded8a34f1d5d3db54eb916173f04",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "157ce2c6836ce0ff19108a819f38df061345425f",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "41058d4c3f63ab64901560a704882e0565f4e456",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "a3cc795129e5ec0f8948653a3bf471e7d8852f5e",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "bd4be70669af55b974860d13680348cfdf50bbed",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
},
{
"lessThan": "fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139",
"status": "affected",
"version": "03f595668017f1a1fb971c02fc37140bc6e7bb1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"ipc/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids-\u003enext_id. ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni. The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids-\u003enext_id is passed to:\n\n idr_alloc(\u0026ids-\u003eipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n width:\n\n new-\u003eid = (new-\u003eseq \u003c\u003c ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n ipcid_to_idx(ipcp-\u003eid)\n\n That truncates the real IDR index. An object actually stored at a\n high index can then be removed as if it lived at a low in-range\n index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:45.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5"
},
{
"url": "https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef"
},
{
"url": "https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04"
},
{
"url": "https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f"
},
{
"url": "https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456"
},
{
"url": "https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e"
},
{
"url": "https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed"
},
{
"url": "https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139"
}
],
"title": "ipc: limit next_id allocation to the valid ID range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52923",
"datePublished": "2026-06-24T07:14:17.849Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-30T12:09:46.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53227 (GCVE-0-2026-53227)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
net: openvswitch: fix possible kfree_skb of ERR_PTR
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix possible kfree_skb of ERR_PTR
After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.
However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.
If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.
Fix this by setting the pointer to NULL after having saved its error
value.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < e248fb2e680deb2bd37bac551b72638fe4938a76
(git)
Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < 0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < 971b1b37774f13acc5add0a2843f8598446b8598 (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < 25fdf53698535fe8790237f5a8a9626791429785 (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < e3d509a1b71396e1452060dbf84a805fd1c3c549 (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < ecc55aad3390129a87106841f4b68bf3d70c9264 (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < 895d1dd9057cde1687fa0f4286d47ceed0b82997 (git) Affected: 893f139b9a6c00c097b9082a90f3041cfb3a0d20 , < ee30dd2909d8b98619f4341c70ec8dc8e155ab02 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e248fb2e680deb2bd37bac551b72638fe4938a76",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "971b1b37774f13acc5add0a2843f8598446b8598",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "25fdf53698535fe8790237f5a8a9626791429785",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "e3d509a1b71396e1452060dbf84a805fd1c3c549",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "ecc55aad3390129a87106841f4b68bf3d70c9264",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "895d1dd9057cde1687fa0f4286d47ceed0b82997",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
},
{
"lessThan": "ee30dd2909d8b98619f4341c70ec8dc8e155ab02",
"status": "affected",
"version": "893f139b9a6c00c097b9082a90f3041cfb3a0d20",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible kfree_skb of ERR_PTR\n\nAfter the patch in the \"Fixes\" tag, the allocation of the \"reply\" skb\ncan happen either before or after locking the ovs_mutex.\n\nHowever, error cleanups still follow the classical reversed order,\nassuming \"reply\" is allocated before locking: it is freed after unlocking.\n\nIf \"reply\" allocation happens after locking the mutex and it fails,\n\"reply\" is left with an ERR_PTR, and execution jumps to the correspondent\ncleanup stage which will try to free an invalid pointer.\n\nFix this by setting the pointer to NULL after having saved its error\nvalue."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:27.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e248fb2e680deb2bd37bac551b72638fe4938a76"
},
{
"url": "https://git.kernel.org/stable/c/0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d"
},
{
"url": "https://git.kernel.org/stable/c/971b1b37774f13acc5add0a2843f8598446b8598"
},
{
"url": "https://git.kernel.org/stable/c/25fdf53698535fe8790237f5a8a9626791429785"
},
{
"url": "https://git.kernel.org/stable/c/e3d509a1b71396e1452060dbf84a805fd1c3c549"
},
{
"url": "https://git.kernel.org/stable/c/ecc55aad3390129a87106841f4b68bf3d70c9264"
},
{
"url": "https://git.kernel.org/stable/c/895d1dd9057cde1687fa0f4286d47ceed0b82997"
},
{
"url": "https://git.kernel.org/stable/c/ee30dd2909d8b98619f4341c70ec8dc8e155ab02"
}
],
"title": "net: openvswitch: fix possible kfree_skb of ERR_PTR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53227",
"datePublished": "2026-06-25T08:39:27.229Z",
"dateReserved": "2026-06-09T07:44:35.392Z",
"dateUpdated": "2026-06-25T08:39:27.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53254 (GCVE-0-2026-53254)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
Bluetooth: RFCOMM: validate skb length in MCC handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: validate skb length in MCC handlers
The RFCOMM MCC handlers cast skb->data to protocol-specific structs
without validating skb->len first. A malicious remote device can send
truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required
data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows
1-byte RPN requests. Handle this by validating only the DLCI byte first,
and validating the full struct only when len > 1.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c15c7c2878957cbfed93bcc29c13fdace464254
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0d637136ce89f9a2309b2c3502402ce400dab0ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 98377e6b1a1a56561ec66a181573ea2b61b2079e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b070ac9e99c2c2c3a8112943ca98ab6fca7f10c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3eabc6d47a0ad22b053329997aaf0ec1e581e392 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 08b9c1fbe78f4ad3f6250c6541cfaabdbeb81997 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 23882b828c3c8c51d0c946446a396b10abb3b16b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c15c7c2878957cbfed93bcc29c13fdace464254",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d637136ce89f9a2309b2c3502402ce400dab0ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98377e6b1a1a56561ec66a181573ea2b61b2079e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b070ac9e99c2c2c3a8112943ca98ab6fca7f10c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3eabc6d47a0ad22b053329997aaf0ec1e581e392",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08b9c1fbe78f4ad3f6250c6541cfaabdbeb81997",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23882b828c3c8c51d0c946446a396b10abb3b16b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: validate skb length in MCC handlers\n\nThe RFCOMM MCC handlers cast skb-\u003edata to protocol-specific structs\nwithout validating skb-\u003elen first. A malicious remote device can send\ntruncated MCC frames and trigger out-of-bounds reads in these handlers.\n\nFix this by using skb_pull_data() to validate and access the required\ndata before dereferencing it.\n\nrfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows\n1-byte RPN requests. Handle this by validating only the DLCI byte first,\nand validating the full struct only when len \u003e 1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:59.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c15c7c2878957cbfed93bcc29c13fdace464254"
},
{
"url": "https://git.kernel.org/stable/c/0d637136ce89f9a2309b2c3502402ce400dab0ef"
},
{
"url": "https://git.kernel.org/stable/c/98377e6b1a1a56561ec66a181573ea2b61b2079e"
},
{
"url": "https://git.kernel.org/stable/c/1b070ac9e99c2c2c3a8112943ca98ab6fca7f10c"
},
{
"url": "https://git.kernel.org/stable/c/3eabc6d47a0ad22b053329997aaf0ec1e581e392"
},
{
"url": "https://git.kernel.org/stable/c/08b9c1fbe78f4ad3f6250c6541cfaabdbeb81997"
},
{
"url": "https://git.kernel.org/stable/c/23882b828c3c8c51d0c946446a396b10abb3b16b"
}
],
"title": "Bluetooth: RFCOMM: validate skb length in MCC handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53254",
"datePublished": "2026-06-25T08:39:45.273Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-28T06:40:59.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53186 (GCVE-0-2026-53186)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:40
VLAI?
EPSS
Title
RDMA/srp: bound SRP_RSP sense copy by the received length
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srp: bound SRP_RSP sense copy by the received length
srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.
A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 3889517c2ec7f364914aea8209abfff735f7ecde
(git)
Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < ed77cc819ad631264787cade5ae5ec4c535ec6bb (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 0b9ee09d5e849591f17d98c078033dadea967293 (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 0d64bc200ebe4f275b27438c6e593903e0b16fe1 (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 2015038195939eac54a1ee83c9d98ef1a8ccbbce (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < f92a285db7ff6e598591ccbfb551be155c5f4d57 (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 3523e53ff95f1837ec3f57ff7558532bcb2661b7 (git) Affected: aef9ec39c47f0cece886ddd6b53c440321e0b2a6 , < 13e91fd076306f5d0cdfa14f53d69e37274723c4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/srp/ib_srp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3889517c2ec7f364914aea8209abfff735f7ecde",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "ed77cc819ad631264787cade5ae5ec4c535ec6bb",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "0b9ee09d5e849591f17d98c078033dadea967293",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "0d64bc200ebe4f275b27438c6e593903e0b16fe1",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "2015038195939eac54a1ee83c9d98ef1a8ccbbce",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "f92a285db7ff6e598591ccbfb551be155c5f4d57",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "3523e53ff95f1837ec3f57ff7558532bcb2661b7",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
},
{
"lessThan": "13e91fd076306f5d0cdfa14f53d69e37274723c4",
"status": "affected",
"version": "aef9ec39c47f0cece886ddd6b53c440321e0b2a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/srp/ib_srp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: bound SRP_RSP sense copy by the received length\n\nsrp_process_rsp() copies sense data from rsp-\u003edata + resp_data_len,\nwhere resp_data_len is the full 32-bit value supplied by the SRP target\nand is never checked against the number of bytes actually received\n(wc-\u003ebyte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so\nat most 96 bytes are copied, but the source offset is not bounded.\n\nA malicious or compromised SRP target on the InfiniBand/RoCE fabric that\nthe initiator has logged into can return an SRP_RSP with\nSRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer\nis allocated at the target-chosen max_ti_iu_len, so the source of the\nsense copy lands past the bytes actually received; with resp_data_len\nnear 0xFFFFFFFF it is gigabytes past the buffer and the read faults.\n\nCopy the sense data only if it has not been truncated, that is, only if\nthe response header, the response data, and the sense region fit within\nthe bytes actually received; otherwise drop the sense and log. The\nin-tree iSER and NVMe-RDMA receive paths already bound their parse by\nwc-\u003ebyte_len; this brings ib_srp into line with them."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:01.569Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3889517c2ec7f364914aea8209abfff735f7ecde"
},
{
"url": "https://git.kernel.org/stable/c/ed77cc819ad631264787cade5ae5ec4c535ec6bb"
},
{
"url": "https://git.kernel.org/stable/c/0b9ee09d5e849591f17d98c078033dadea967293"
},
{
"url": "https://git.kernel.org/stable/c/0d64bc200ebe4f275b27438c6e593903e0b16fe1"
},
{
"url": "https://git.kernel.org/stable/c/2015038195939eac54a1ee83c9d98ef1a8ccbbce"
},
{
"url": "https://git.kernel.org/stable/c/f92a285db7ff6e598591ccbfb551be155c5f4d57"
},
{
"url": "https://git.kernel.org/stable/c/3523e53ff95f1837ec3f57ff7558532bcb2661b7"
},
{
"url": "https://git.kernel.org/stable/c/13e91fd076306f5d0cdfa14f53d69e37274723c4"
}
],
"title": "RDMA/srp: bound SRP_RSP sense copy by the received length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53186",
"datePublished": "2026-06-25T08:38:59.508Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-06-28T06:40:01.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53268 (GCVE-0-2026-53268)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
netfilter: conntrack_irc: fix possible out-of-bounds read
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack_irc: fix possible out-of-bounds read
When parsing fails after we've matched the command string we
should bail out instead of trying to match a different command.
This helper should be deprecated, given prevalence of TLS I doubt it has
any relevance in 2026.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
869f37d8e48f3911eb70f38a994feaa8f8380008 , < 4cdda7f868f48e2f81579371584fdbdce37df2c8
(git)
Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 8a1d6e40dedfe1068aee094d851bd69e289c9fd6 (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 0afc802160af0df61ed374fdb97fb34cfe5cdf2f (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 7c34f91305292083253df6a9f6c8ede02d4ccaea (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < ddddd8271359961e403d11c90c9ba9fc38914f7e (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 9e5da2379f968a3ea5a6e38921ab6201576466dc (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 573810f61bcd6b6815e2ff53bbdd2b9c9d747176 (git) Affected: 869f37d8e48f3911eb70f38a994feaa8f8380008 , < 66eba0ffce3b7e11449946b4cbbef8ea36112f56 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_irc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cdda7f868f48e2f81579371584fdbdce37df2c8",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "8a1d6e40dedfe1068aee094d851bd69e289c9fd6",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "0afc802160af0df61ed374fdb97fb34cfe5cdf2f",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "7c34f91305292083253df6a9f6c8ede02d4ccaea",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "ddddd8271359961e403d11c90c9ba9fc38914f7e",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "9e5da2379f968a3ea5a6e38921ab6201576466dc",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "573810f61bcd6b6815e2ff53bbdd2b9c9d747176",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
},
{
"lessThan": "66eba0ffce3b7e11449946b4cbbef8ea36112f56",
"status": "affected",
"version": "869f37d8e48f3911eb70f38a994feaa8f8380008",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_irc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack_irc: fix possible out-of-bounds read\n\nWhen parsing fails after we\u0027ve matched the command string we\nshould bail out instead of trying to match a different command.\n\nThis helper should be deprecated, given prevalence of TLS I doubt it has\nany relevance in 2026."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:12.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cdda7f868f48e2f81579371584fdbdce37df2c8"
},
{
"url": "https://git.kernel.org/stable/c/8a1d6e40dedfe1068aee094d851bd69e289c9fd6"
},
{
"url": "https://git.kernel.org/stable/c/0afc802160af0df61ed374fdb97fb34cfe5cdf2f"
},
{
"url": "https://git.kernel.org/stable/c/7c34f91305292083253df6a9f6c8ede02d4ccaea"
},
{
"url": "https://git.kernel.org/stable/c/ddddd8271359961e403d11c90c9ba9fc38914f7e"
},
{
"url": "https://git.kernel.org/stable/c/9e5da2379f968a3ea5a6e38921ab6201576466dc"
},
{
"url": "https://git.kernel.org/stable/c/573810f61bcd6b6815e2ff53bbdd2b9c9d747176"
},
{
"url": "https://git.kernel.org/stable/c/66eba0ffce3b7e11449946b4cbbef8ea36112f56"
}
],
"title": "netfilter: conntrack_irc: fix possible out-of-bounds read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53268",
"datePublished": "2026-06-25T08:39:54.511Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:12.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53263 (GCVE-0-2026-53263)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-25 08:39
VLAI?
EPSS
Title
6lowpan: fix off-by-one in multicast context address compression
Summary
In the Linux kernel, the following vulnerability has been resolved:
6lowpan: fix off-by-one in multicast context address compression
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5609c185f24dffca5f6a9c127106869da150be03 , < f24a58c72a45f4c109f3557a760cc4b60b7a6037
(git)
Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < da8cbb64b47e9066b40af0de170901caf17b768c (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < 4485d79617520d84ba5a14515e2b5136007d6deb (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < 06ce6fc106b16dec9b535950db626261be865e5b (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < c32f30ef5e66adbfa102348e2e8a23776eb007cb (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < da8808463882c3f3c357b072e25053c2121f1419 (git) Affected: 5609c185f24dffca5f6a9c127106869da150be03 , < 2a58899d11009bffc7b4b32a571858f381121837 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/6lowpan/iphc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f24a58c72a45f4c109f3557a760cc4b60b7a6037",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "da8cbb64b47e9066b40af0de170901caf17b768c",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "4485d79617520d84ba5a14515e2b5136007d6deb",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "06ce6fc106b16dec9b535950db626261be865e5b",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "c32f30ef5e66adbfa102348e2e8a23776eb007cb",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "da8808463882c3f3c357b072e25053c2121f1419",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
},
{
"lessThan": "2a58899d11009bffc7b4b32a571858f381121837",
"status": "affected",
"version": "5609c185f24dffca5f6a9c127106869da150be03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/6lowpan/iphc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n6lowpan: fix off-by-one in multicast context address compression\n\nThe second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses\n\u0026data[1] as destination and \u0026ipaddr-\u003es6_addr[11] as source, but\nboth should be offset by one: \u0026data[2] and \u0026ipaddr-\u003es6_addr[12]\nrespectively.\n\nThis off-by-one has two consequences:\n1. data[1] is overwritten with s6_addr[11], corrupting the RIID\n field in the compressed multicast address\n2. data[5] is never written, so uninitialized kernel stack memory\n is transmitted over the network via lowpan_push_hc_data(),\n leaking kernel stack contents\n\nThe correct inline data layout must match what the decompression\nfunction lowpan_uncompress_multicast_ctx_daddr() expects:\n data[0..1] = s6_addr[1..2] (flags/scope + RIID)\n data[2..5] = s6_addr[12..15] (group ID)\n\nAlso zero-initialize the data array as a defensive measure against\nsimilar bugs in the future."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T08:39:51.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f24a58c72a45f4c109f3557a760cc4b60b7a6037"
},
{
"url": "https://git.kernel.org/stable/c/da8cbb64b47e9066b40af0de170901caf17b768c"
},
{
"url": "https://git.kernel.org/stable/c/4485d79617520d84ba5a14515e2b5136007d6deb"
},
{
"url": "https://git.kernel.org/stable/c/06ce6fc106b16dec9b535950db626261be865e5b"
},
{
"url": "https://git.kernel.org/stable/c/dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af"
},
{
"url": "https://git.kernel.org/stable/c/c32f30ef5e66adbfa102348e2e8a23776eb007cb"
},
{
"url": "https://git.kernel.org/stable/c/da8808463882c3f3c357b072e25053c2121f1419"
},
{
"url": "https://git.kernel.org/stable/c/2a58899d11009bffc7b4b32a571858f381121837"
}
],
"title": "6lowpan: fix off-by-one in multicast context address compression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53263",
"datePublished": "2026-06-25T08:39:51.215Z",
"dateReserved": "2026-06-09T07:44:35.394Z",
"dateUpdated": "2026-06-25T08:39:51.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53194 (GCVE-0-2026-53194)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
USB: serial: kl5kusb105: fix bulk-out buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 60af1fd82983c26604102e63a3fcc822c186cceb
(git)
Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 0a57320f71941d4e0b1307453c9a1f0939afe666 (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 14147b7963685957839c76ba8094924e22777d79 (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < a1288cd700f721c1a119c4f1e8efa234e59caada (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 70d86e355c564b5510fde61361df014f5476c83e (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 372f33ebed747d91870f57c0a2e62884a870bffa (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < bde742b076cbe26ecc89c8c68c76ae076a524d02 (git) Affected: 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 , < 96d47e40bf9db4a9efd5c8fb53287a508d165f14 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s `kl5kusb105` USB serial driver. This buffer overflow vulnerability allows a local attacker to write data beyond the intended memory boundary (if attacker controls USB device or driver, because triggered from the internals of the device). By sending a specially crafted input to the USB serial port, an attacker can trigger an out-of-bounds write, which may lead to memory corruption. The primary consequence of this flaw is a denial of service (DoS), potentially causing system instability or crashes."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:23.469Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-53194"
},
{
"name": "RHBZ#2492703",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492703"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53194.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: USB: serial: kl5kusb105: fix bulk-out buffer overflow",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, prevent module kl5kusb105 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/kl5kusb105.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60af1fd82983c26604102e63a3fcc822c186cceb",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "0a57320f71941d4e0b1307453c9a1f0939afe666",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "14147b7963685957839c76ba8094924e22777d79",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "a1288cd700f721c1a119c4f1e8efa234e59caada",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "70d86e355c564b5510fde61361df014f5476c83e",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "372f33ebed747d91870f57c0a2e62884a870bffa",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "bde742b076cbe26ecc89c8c68c76ae076a524d02",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
},
{
"lessThan": "96d47e40bf9db4a9efd5c8fb53287a508d165f14",
"status": "affected",
"version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/kl5kusb105.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: kl5kusb105: fix bulk-out buffer overflow\n\nklsi_105_prepare_write_buffer() is called by the generic write path\nwith the bulk-out buffer and its size (bulk_out_size, 64 bytes). It\nstores a two-byte length header at the start of the buffer and copies\nthe payload from the write fifo starting at buf + KLSI_HDR_LEN, but\npasses the full buffer size as the number of bytes to copy:\n\n count = kfifo_out_locked(\u0026port-\u003ewrite_fifo, buf + KLSI_HDR_LEN,\n size, \u0026port-\u003elock);\n\nWhen the fifo holds at least size bytes, size bytes are copied starting\ntwo bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its\nend. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for\nthe header as safe_serial already does.\n\nWriting bulk_out_size or more bytes to the tty triggers a slab\nout-of-bounds write, observed with KASAN by emulating the device with\ndummy_hcd and raw-gadget:\n\n BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0\n Write of size 64 at addr ffff888112c62202 by task python3\n kfifo_copy_out\n klsi_105_prepare_write_buffer [kl5kusb105]\n usb_serial_generic_write_start [usbserial]\n Allocated by task 139:\n usb_serial_probe [usbserial]\n The buggy address is located 2 bytes inside of allocated 64-byte region\n\nThe out-of-bounds write no longer occurs with this change applied."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:40:13.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb"
},
{
"url": "https://git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666"
},
{
"url": "https://git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79"
},
{
"url": "https://git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada"
},
{
"url": "https://git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e"
},
{
"url": "https://git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa"
},
{
"url": "https://git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02"
},
{
"url": "https://git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14"
}
],
"title": "USB: serial: kl5kusb105: fix bulk-out buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53194",
"datePublished": "2026-06-25T08:39:05.017Z",
"dateReserved": "2026-06-09T07:44:35.390Z",
"dateUpdated": "2026-07-02T12:05:23.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52922 (GCVE-0-2026-52922)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-28 06:36
VLAI?
EPSS
Title
batman-adv: dat: handle forward allocation error
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: dat: handle forward allocation error
batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb
for each DHT candidate, but does not check the return value before passing
it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences
the skb unconditionally, so a failed allocation triggers a NULL pointer
dereference.
Skip forwarding to the current DHT candidate on allocation failure.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
785ea1144182c341b8b85b0f8180291839d176a8 , < 9bcebaedfb8479cb4affb23c7a0d000ca9a20e73
(git)
Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < 2edb8aeb3cdda9d00ec4997252dc5bcd6f54d8ef (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < ce0c381199402a2c58f4599f4f6ed100d872d0da (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < 866ac1d57040ed0b44ca732e3c66b3aa6b93011c (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < 4d420d9ee70a220a2cd95aa0dd2e15acad66a505 (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < 9cceea8eeba710def2a5707ee00f00c74a9a1cac (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < cf48e75fc4fe0d5cc7721c82d454221d01367b93 (git) Affected: 785ea1144182c341b8b85b0f8180291839d176a8 , < 2d8826a2d3657cea66fb0370f9e521575a673871 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/distributed-arp-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bcebaedfb8479cb4affb23c7a0d000ca9a20e73",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "2edb8aeb3cdda9d00ec4997252dc5bcd6f54d8ef",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "ce0c381199402a2c58f4599f4f6ed100d872d0da",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "866ac1d57040ed0b44ca732e3c66b3aa6b93011c",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "4d420d9ee70a220a2cd95aa0dd2e15acad66a505",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "9cceea8eeba710def2a5707ee00f00c74a9a1cac",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "cf48e75fc4fe0d5cc7721c82d454221d01367b93",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
},
{
"lessThan": "2d8826a2d3657cea66fb0370f9e521575a673871",
"status": "affected",
"version": "785ea1144182c341b8b85b0f8180291839d176a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/distributed-arp-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: dat: handle forward allocation error\n\nbatadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb\nfor each DHT candidate, but does not check the return value before passing\nit to batadv_send_skb_prepare_unicast_4addr(). That function dereferences\nthe skb unconditionally, so a failed allocation triggers a NULL pointer\ndereference.\n\nSkip forwarding to the current DHT candidate on allocation failure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:43.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bcebaedfb8479cb4affb23c7a0d000ca9a20e73"
},
{
"url": "https://git.kernel.org/stable/c/2edb8aeb3cdda9d00ec4997252dc5bcd6f54d8ef"
},
{
"url": "https://git.kernel.org/stable/c/ce0c381199402a2c58f4599f4f6ed100d872d0da"
},
{
"url": "https://git.kernel.org/stable/c/866ac1d57040ed0b44ca732e3c66b3aa6b93011c"
},
{
"url": "https://git.kernel.org/stable/c/4d420d9ee70a220a2cd95aa0dd2e15acad66a505"
},
{
"url": "https://git.kernel.org/stable/c/9cceea8eeba710def2a5707ee00f00c74a9a1cac"
},
{
"url": "https://git.kernel.org/stable/c/cf48e75fc4fe0d5cc7721c82d454221d01367b93"
},
{
"url": "https://git.kernel.org/stable/c/2d8826a2d3657cea66fb0370f9e521575a673871"
}
],
"title": "batman-adv: dat: handle forward allocation error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52922",
"datePublished": "2026-06-24T07:14:17.185Z",
"dateReserved": "2026-06-09T07:44:35.367Z",
"dateUpdated": "2026-06-28T06:36:43.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52930 (GCVE-0-2026-52930)
Vulnerability from cvelistv5 – Published: 2026-06-24 07:14 – Updated: 2026-06-24 07:14
VLAI?
EPSS
Title
ipc/shm: serialize orphan cleanup with shm_nattch updates
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc/shm: serialize orphan cleanup with shm_nattch updates
shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
does not serialize all fields tested by shm_may_destroy(). In particular,
shm_nattch is updated while holding shm_perm.lock, and attach paths can do
that without holding the rwsem.
Do not decide that an orphaned segment is unused before taking the object
lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
other destroy paths, and unlock the segment when it no longer qualifies
for removal.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < b1e9aef48e4d8a0c1b54fb913077b0824ed7d650
(git)
Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < 92cda2593cf2ed25b0e9d78e5e6d8303bba1a064 (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < 1f0d01e35dbb228084d5187212e32c91a30dcbeb (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < 6560be3f6a5bb84f006f184f0c966747bb58e1a3 (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < b5107b4ce3ad45fcf369ee2058c8910620f4b5a8 (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < db752ebfdaf2c7f27cd9690ef48b616af068319c (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < 030bbc857bd51d4b25a90d931d3f8775ef22823a (git) Affected: 4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d , < 2e5c6f4fd4001562781e99bbfc7f1f0127187542 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1e9aef48e4d8a0c1b54fb913077b0824ed7d650",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "92cda2593cf2ed25b0e9d78e5e6d8303bba1a064",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "1f0d01e35dbb228084d5187212e32c91a30dcbeb",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "6560be3f6a5bb84f006f184f0c966747bb58e1a3",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "b5107b4ce3ad45fcf369ee2058c8910620f4b5a8",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "db752ebfdaf2c7f27cd9690ef48b616af068319c",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "030bbc857bd51d4b25a90d931d3f8775ef22823a",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
},
{
"lessThan": "2e5c6f4fd4001562781e99bbfc7f1f0127187542",
"status": "affected",
"version": "4c677e2eefdba9c5bfc4474e2e91b26ae8458a1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"ipc/shm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc/shm: serialize orphan cleanup with shm_nattch updates\n\nshm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that\ndoes not serialize all fields tested by shm_may_destroy(). In particular,\nshm_nattch is updated while holding shm_perm.lock, and attach paths can do\nthat without holding the rwsem.\n\nDo not decide that an orphaned segment is unused before taking the object\nlock. Move the shm_may_destroy() check under shm_perm.lock, matching the\nother destroy paths, and unlock the segment when it no longer qualifies\nfor removal."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T07:14:22.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1e9aef48e4d8a0c1b54fb913077b0824ed7d650"
},
{
"url": "https://git.kernel.org/stable/c/92cda2593cf2ed25b0e9d78e5e6d8303bba1a064"
},
{
"url": "https://git.kernel.org/stable/c/1f0d01e35dbb228084d5187212e32c91a30dcbeb"
},
{
"url": "https://git.kernel.org/stable/c/6560be3f6a5bb84f006f184f0c966747bb58e1a3"
},
{
"url": "https://git.kernel.org/stable/c/b5107b4ce3ad45fcf369ee2058c8910620f4b5a8"
},
{
"url": "https://git.kernel.org/stable/c/db752ebfdaf2c7f27cd9690ef48b616af068319c"
},
{
"url": "https://git.kernel.org/stable/c/030bbc857bd51d4b25a90d931d3f8775ef22823a"
},
{
"url": "https://git.kernel.org/stable/c/2e5c6f4fd4001562781e99bbfc7f1f0127187542"
}
],
"title": "ipc/shm: serialize orphan cleanup with shm_nattch updates",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52930",
"datePublished": "2026-06-24T07:14:22.704Z",
"dateReserved": "2026-06-09T07:44:35.369Z",
"dateUpdated": "2026-06-24T07:14:22.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53133 (GCVE-0-2026-53133)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:38 – Updated: 2026-06-28 06:39
VLAI?
EPSS
Title
RDMA/umem: Fix truncation for block sizes >= 4G
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umem: Fix truncation for block sizes >= 4G
When the iommu is used the linearization of the mapping can give a single
block that is very large split across multiple SG entries.
When __rdma_block_iter_next() reassembles the split SG entries it is
overflowing the 32 bit stack values and computed the wrong DMA addresses
for blocks after the truncation.
Use the right types to hold DMA addresses.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a808273a495c657e33281b181fd7fcc2bb28f662 , < 2ff4b7817e5b78070c30f5fb5e678e452a2628b3
(git)
Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < dee2a49adeeb2a5e16a3fc858fa21b841c519802 (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < cc644d5608e3b0dadc970bd6e6aa26b91ea07d0f (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < 8fe0231adebe086c8a459c790944ac026cd99c6e (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < baf8685bcf56dc1efb44b8f6a57c42516e549068 (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < afd35fec9297195b759078745549c2671223f24f (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < ac1aad8e1281534ce936c250f68084fc79c5469e (git) Affected: a808273a495c657e33281b181fd7fcc2bb28f662 , < 15fe76e23615f502d051ef0768f86babaf08746c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ff4b7817e5b78070c30f5fb5e678e452a2628b3",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "dee2a49adeeb2a5e16a3fc858fa21b841c519802",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "cc644d5608e3b0dadc970bd6e6aa26b91ea07d0f",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "8fe0231adebe086c8a459c790944ac026cd99c6e",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "baf8685bcf56dc1efb44b8f6a57c42516e549068",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "afd35fec9297195b759078745549c2671223f24f",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "ac1aad8e1281534ce936c250f68084fc79c5469e",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "15fe76e23615f502d051ef0768f86babaf08746c",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umem: Fix truncation for block sizes \u003e= 4G\n\nWhen the iommu is used the linearization of the mapping can give a single\nblock that is very large split across multiple SG entries.\n\nWhen __rdma_block_iter_next() reassembles the split SG entries it is\noverflowing the 32 bit stack values and computed the wrong DMA addresses\nfor blocks after the truncation.\n\nUse the right types to hold DMA addresses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:39:28.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ff4b7817e5b78070c30f5fb5e678e452a2628b3"
},
{
"url": "https://git.kernel.org/stable/c/dee2a49adeeb2a5e16a3fc858fa21b841c519802"
},
{
"url": "https://git.kernel.org/stable/c/cc644d5608e3b0dadc970bd6e6aa26b91ea07d0f"
},
{
"url": "https://git.kernel.org/stable/c/8fe0231adebe086c8a459c790944ac026cd99c6e"
},
{
"url": "https://git.kernel.org/stable/c/baf8685bcf56dc1efb44b8f6a57c42516e549068"
},
{
"url": "https://git.kernel.org/stable/c/afd35fec9297195b759078745549c2671223f24f"
},
{
"url": "https://git.kernel.org/stable/c/ac1aad8e1281534ce936c250f68084fc79c5469e"
},
{
"url": "https://git.kernel.org/stable/c/15fe76e23615f502d051ef0768f86babaf08746c"
}
],
"title": "RDMA/umem: Fix truncation for block sizes \u003e= 4G",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53133",
"datePublished": "2026-06-25T08:38:22.469Z",
"dateReserved": "2026-06-09T07:44:35.386Z",
"dateUpdated": "2026-06-28T06:39:28.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53270 (GCVE-0-2026-53270)
Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:41
VLAI?
EPSS
Title
ipvs: clear the svc scheduler ptr early on edit
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: clear the svc scheduler ptr early on edit
ip_vs_edit_service() while unbinding the old scheduler clears
the svc->scheduler ptr after the scheduler module initiates
RCU callbacks. This can cause packets to use the old
scheduler at the time when svc->sched_data is already freed
after RCU grace period.
Fix it by clearing the ptr early in ip_vs_unbind_scheduler(),
before the done_service method schedules any RCU callbacks.
Also, if the new scheduler fails to initialize when replacing
the old scheduler, try to restore the old scheduler while still
returning the error code.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < d10730a1f2caf08088e0db1b19b242f3e6fa5f06
(git)
Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < e4feec3174036ba772006be74beee0efa09a9eb8 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < 7d4f5004511757e3984901ffb412fcf858d80ed5 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < c6376b9b1b4d2bad638256b1b3588e073344ae69 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < 14e4689c113b4c06af1069364ade24fdd7055f33 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < 25918720ba97f974a4f8d433b5a0132c5b43f6f3 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < 19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03 (git) Affected: 05f00505a89acd21f5d0d20f5797dfbc4cf85243 , < 193989cc6d80dd8e0460fb3992e69fa03bf0ff9b (git) Affected: c803fddd2a95a70873c68dbff42d4c59fd2e674e (git) Affected: 4ec8fb23158797affae7993c15beba080488482f (git) Affected: 3.18.23 , < 3.19 (semver) Affected: 4.1.11 , < 4.2 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip_vs.h",
"net/netfilter/ipvs/ip_vs_ctl.c",
"net/netfilter/ipvs/ip_vs_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d10730a1f2caf08088e0db1b19b242f3e6fa5f06",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "e4feec3174036ba772006be74beee0efa09a9eb8",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "7d4f5004511757e3984901ffb412fcf858d80ed5",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "c6376b9b1b4d2bad638256b1b3588e073344ae69",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "14e4689c113b4c06af1069364ade24fdd7055f33",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "25918720ba97f974a4f8d433b5a0132c5b43f6f3",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"lessThan": "193989cc6d80dd8e0460fb3992e69fa03bf0ff9b",
"status": "affected",
"version": "05f00505a89acd21f5d0d20f5797dfbc4cf85243",
"versionType": "git"
},
{
"status": "affected",
"version": "c803fddd2a95a70873c68dbff42d4c59fd2e674e",
"versionType": "git"
},
{
"status": "affected",
"version": "4ec8fb23158797affae7993c15beba080488482f",
"versionType": "git"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.23",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip_vs.h",
"net/netfilter/ipvs/ip_vs_ctl.c",
"net/netfilter/ipvs/ip_vs_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: clear the svc scheduler ptr early on edit\n\nip_vs_edit_service() while unbinding the old scheduler clears\nthe svc-\u003escheduler ptr after the scheduler module initiates\nRCU callbacks. This can cause packets to use the old\nscheduler at the time when svc-\u003esched_data is already freed\nafter RCU grace period.\n\nFix it by clearing the ptr early in ip_vs_unbind_scheduler(),\nbefore the done_service method schedules any RCU callbacks.\n\nAlso, if the new scheduler fails to initialize when replacing\nthe old scheduler, try to restore the old scheduler while still\nreturning the error code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:41:14.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d10730a1f2caf08088e0db1b19b242f3e6fa5f06"
},
{
"url": "https://git.kernel.org/stable/c/e4feec3174036ba772006be74beee0efa09a9eb8"
},
{
"url": "https://git.kernel.org/stable/c/7d4f5004511757e3984901ffb412fcf858d80ed5"
},
{
"url": "https://git.kernel.org/stable/c/c6376b9b1b4d2bad638256b1b3588e073344ae69"
},
{
"url": "https://git.kernel.org/stable/c/14e4689c113b4c06af1069364ade24fdd7055f33"
},
{
"url": "https://git.kernel.org/stable/c/25918720ba97f974a4f8d433b5a0132c5b43f6f3"
},
{
"url": "https://git.kernel.org/stable/c/19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03"
},
{
"url": "https://git.kernel.org/stable/c/193989cc6d80dd8e0460fb3992e69fa03bf0ff9b"
}
],
"title": "ipvs: clear the svc scheduler ptr early on edit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53270",
"datePublished": "2026-06-25T08:39:55.830Z",
"dateReserved": "2026-06-09T07:44:35.395Z",
"dateUpdated": "2026-06-28T06:41:14.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…